Comments (8)
Released 3.17.0 and 4.1.0 containing this fixe earlier today.
from sumologic-kubernetes-collection.
list of vulnerabilities
Component | Version | Vulnerability | Severity |
---|---|---|---|
curl | 7.88.1-r1 | CVE-2023-38545 | critical |
libwebp | 1.2.4-r1 | CVE-2023-4863 | high |
nghttp2 | 1.51.0-r0 | CVE-2023-44487 | high |
libx11 | 1.8.4-r0 | CVE-2023-43787 | high |
curl | 7.88.1-r1 | CVE-2023-38039 | high |
nghttp2 | 1.51.0-r0 | CVE-2023-35945 | high |
libx11 | 1.8.4-r0 | CVE-2023-3138 | high |
ncurses | 6.3_p20221119-r0 | CVE-2023-29491 | high |
curl | 7.88.1-r1 | CVE-2023-28319 | high |
libwebp | 1.2.4-r1 | CVE-2023-1999 | high |
from sumologic-kubernetes-collection.
Hi Rajendra, thanks for creating the issue.
Are you sure the scan was performed correctly? For Helm Chart v3.16.2
we already use nginx-privileged:1.25.2-alpine
as can be seen here:
sumologic-kubernetes-collection/deploy/helm/sumologic/values.yaml
Lines 614 to 617 in 6bf9b71
from sumologic-kubernetes-collection.
I can corroborate what Rajendra is saying but also add some details as the problem is also in the updated 1.25.2 version.
It seems that public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine also has the newer CVE-2023-4863 / libwebp issue.
A Prisma scan shows this:
Image public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine
IDsha 256:d4de341be3aae88defd0b484928d44ecc5044cbd0295f31086ca885f60ab88d3
OS distributionAlpine Linux v3.18
OS release3.18.3
Digest sha256:af39a3d5091b93b8afc3420fdc35787d560578486790c1844767374d278014f1
Start time Oct 31, 2023 1:16:27 AM (2 days ago)
Type | Highest severity | Description
OS | critical | curl (used in libcurl, curl) version 8.2.1-r0 has 2 vulnerabilities
OS | high | nghttp2 (used in nghttp2-libs) version 1.55.1-r0 has 1 vulnerability
OS | high | libx11 version 1.8.4-r4 has 1 vulnerability
OS | high | libwebp version 1.3.1-r0 has 1 vulnerability
I also just did a trivy scan.
public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine (alpine 3.18.3)
Total: 7 (HIGH: 5, CRITICAL: 2)
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
│ curl │ CVE-2023-38545 │ CRITICAL │ 8.2.1-r0 │ 8.4.0-r0 │ heap based buffer overflow in the SOCKS5 proxy
│ │ CVE-2023-38039 │ HIGH │ │ 8.3.0-r0 │ out of heap memory issue due to missing limit on header
│ libcurl │ CVE-2023-38545 │ CRITICAL │ │ 8.4.0-r0 │ heap based buffer overflow in the SOCKS5 proxy
│ │ CVE-2023-38039 │ HIGH │ │ 8.3.0-r0 │ out of heap memory issue due to missing limit on header
│ libwebp │ CVE-2023-4863 │ │ 1.3.1-r0 │ 1.3.1-r1 │ Heap buffer overflow in WebP Codec │
│ libx11 │ CVE-2023-43787 │ │ 1.8.4-r4 │ 1.8.7-r0 │ integer overflow in XCreateImage() leading to a heap
│ nghttp2-libs │ CVE-2023-44487 │ │ 1.55.1-r0 │ 1.57.0-r0 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
I don't have an AWS ECR scan handy yet.
from sumologic-kubernetes-collection.
It looks like the issues in Alpine were patched in https://alpinelinux.org/posts/Alpine-3.18.4-released.html
main/libwebp: upgrade to 1.3.2
jane400 (1):
main/libwebp: patch CVE-2023-4863
Thanks for looking into this!
from sumologic-kubernetes-collection.
Did some more digging.
It looks like the fixes for all but the latest CVE's are in public.ecr.aws/nginx/nginx-unprivileged:1.25-alpine3.18
public.ecr.aws/nginx/nginx-unprivileged:1.25-alpine3.18 (alpine 3.18.4)
Total: 1 (HIGH: 1, CRITICAL: 0)
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
│ libx11 │ CVE-2023-43787 │ HIGH │ 1.8.4-r4 │ 1.8.7-r0 │ integer overflow in XCreateImage() leading to a heap │
There are other fixes on the way, but they might be delayed:
Update mainline NGINX to 1.25.3 #167
nginxinc/docker-nginx-unprivileged#167
It looks like it might take a few days+ to work out the latest changes.
Might it be worthwhile to put in a PR for tag: 1.25-alpine3.18
to get the latest updates if 1.25.3 might be delayed?
from sumologic-kubernetes-collection.
Hey, thank you both for the detailed investigation! I think we should just upgrade to whatever is available, since we wanted to issue new releases this week anyway. Once nginx gets 1.25.3 out, we can upgrade to that one separately.
One somewhat annoying thing about the nginx-unprivileged repository is that most (all?) of the tags move. What I ended up doing is simply rehosting the current 1.25.2-alpine
image as 1.25.2-alpine-sumo-1
to indicate the change. My scanner shows the same output as yours @lreed-mdsol for this image.
from sumologic-kubernetes-collection.
Thanks for your help on this!!!
Do you plan to release a new version of the Helm chart soon?
from sumologic-kubernetes-collection.
Related Issues (20)
- 20-02-2024 Update Chart dependencies
- Add Go test for the global options (nodeSelector, affinity, tolerations)
- Update Chart dependencies 2024-02-26 HOT 4
- Terraform hook removes all collector processing rule filters when managed with argo-cd HOT 1
- Prometheus Sharding Name Too Long HOT 1
- Deleted `3.0.0-beta.0` version and installed `4.5.1` on top. `sumologic-sumologic-otelcol-logs-collector` is stuck in CrashLoopBackOff. HOT 1
- 4.4.0 to 4.5.1 upgrade failed: rendered manifests contain a resource that already exists HOT 2
- Is opentelemetry-operator installation required? HOT 3
- Metrics are not being collected after updating from 3.18.0 to 4.5.0 HOT 1
- Getting Inconsistent Timestamp error on sumologic-metrics-collector pods HOT 1
- Better method to detect helm chart version in template tests HOT 1
- Refactor pvcCleaner
- Bump major version of dependencies
- Update Chart dependencies 2024-04-15 HOT 1
- Provide detailed documentation regarding metrics collection
- Add instructions for vagrant for M2 Mac HOT 3
- Add unit tests for `ci/check_dependencies`
- Update Chart dependencies 2024-04-16
- Add check for metrics server to support.md
- Migrate from `opentelemetry-operator.instrumentation` to `opentelemetry-operator.autoInstrumentationImage`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sumologic-kubernetes-collection.