Skip to content
This repository was archived by the owner on Jun 4, 2024. It is now read-only.

Update access plugins image to latest base distroless image#915

Closed
MattiasAng wants to merge 1 commit intogravitational:masterfrom
MattiasAng:patch-1
Closed

Update access plugins image to latest base distroless image#915
MattiasAng wants to merge 1 commit intogravitational:masterfrom
MattiasAng:patch-1

Conversation

@MattiasAng
Copy link
Copy Markdown

@MattiasAng MattiasAng commented Sep 15, 2023
edited
Loading

The current image contains several critical vulnerabilities for OpenSSL, libc and libssl.

Trivy output on current image:

public.ecr.aws/gravitational/teleport-plugin-slack:13.3.8 (debian 11.2)

Total: 48 (UNKNOWN: 0, LOW: 12, MEDIUM: 18, HIGH: 11, CRITICAL: 7)

┌───────────┬──────────────────┬──────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│  Library  │  Vulnerability   │ Severity │ Installed Version │  Fixed Version   │                            Title                             │
├───────────┼──────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-33574   │ CRITICAL │ 2.31-13+deb11u2   │ 2.31-13+deb11u3  │ mq_notify does not handle separately allocated thread        │
│           │                  │          │                   │                  │ attributes                                                   │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23218   │          │                   │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                  │          │                   │                  │ long pathnames                                               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219   │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                  │          │                   │                  │ a long pathname                                              │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2021-3999    │ HIGH     │                   │ 2.31-13+deb11u4  │ Off-by-one buffer overflow/underflow in getcwd()             │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-3999                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-4806    │ MEDIUM   │                   │                  │ potential use-after-free in getaddrinfo()                    │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-4806                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-4813    │          │                   │                  │ potential use-after-free in gaih_inet()                      │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-4813                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2010-4756    │ LOW      │                   │                  │ glibc: glob implementation can cause excessive CPU and       │
│           │                  │          │                   │                  │ memory consumption due to...                                 │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2010-4756                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2018-20796   │          │                   │                  │ glibc: uncontrolled recursion in function                    │
│           │                  │          │                   │                  │ check_dst_limits_calc_pos_1 in posix/regexec.c               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2018-20796                   │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010022 │          │                   │                  │ glibc: stack guard protection bypass                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010022                 │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010023 │          │                   │                  │ glibc: running ldd on malicious ELF leads to code execution  │
│           │                  │          │                   │                  │ because of...                                                │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010023                 │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010024 │          │                   │                  │ glibc: ASLR bypass using cache of thread stack and heap      │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010024                 │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010025 │          │                   │                  │ glibc: information disclosure of heap addresses of           │
│           │                  │          │                   │                  │ pthread_created thread                                       │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010025                 │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2019-9192    │          │                   │                  │ glibc: uncontrolled recursion in function                    │
│           │                  │          │                   │                  │ check_dst_limits_calc_pos_1 in posix/regexec.c               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-9192                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2021-43396   │          │                   │ 2.31-13+deb11u3  │ glibc: conversion from ISO-2022-JP-3 with iconv may emit     │
│           │                  │          │                   │                  │ spurious NUL character on...                                 │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-43396                   │
├───────────┼──────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292    │ CRITICAL │ 1.1.1k-1+deb11u1  │ 1.1.1n-0+deb11u2 │ c_rehash script allows command injection                     │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-2068    │          │                   │ 1.1.1n-0+deb11u3 │ the c_rehash script allows command injection                 │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-0778    │ HIGH     │                   │ 1.1.1k-1+deb11u2 │ Infinite loop in BN_mod_sqrt() reachable when parsing        │
│           │                  │          │                   │                  │ certificates                                                 │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-0778                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-4450    │          │                   │ 1.1.1n-0+deb11u4 │ double free after calling PEM_read_bio_ex                    │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4450                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0215    │          │                   │                  │ use-after-free following BIO_new_NDEF                        │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0215                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0286    │          │                   │                  │ X.400 address type confusion in X.509 GeneralName            │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0286                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0464    │          │                   │ 1.1.1n-0+deb11u5 │ Denial of service by excessive resource usage in verifying   │
│           │                  │          │                   │                  │ X509 policy constraints...                                   │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0464                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2021-4160    │ MEDIUM   │                   │ 1.1.1k-1+deb11u2 │ openssl: Carry propagation bug in the MIPS32 and MIPS64      │
│           │                  │          │                   │                  │ squaring procedure                                           │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-4160                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-2097    │          │                   │ 1.1.1n-0+deb11u4 │ AES OCB fails to encrypt some bytes                          │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-4304    │          │                   │                  │ timing attack in RSA Decryption implementation               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4304                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0465    │          │                   │ 1.1.1n-0+deb11u5 │ Invalid certificate policies in leaf certificates are        │
│           │                  │          │                   │                  │ silently ignored                                             │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0465                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0466    │          │                   │                  │ Certificate policy check not enabled                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0466                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-2650    │          │                   │                  │ Possible DoS translating ASN.1 object identifiers            │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-2650                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-3446    │          │                   │                  │ Excessive time spent checking DH keys and parameters         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3446                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-3817    │          │                   │                  │ Excessive time spent checking DH q parameter value           │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3817                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2007-6755    │ LOW      │                   │                  │ Dual_EC_DRBG: weak pseudo random number generator            │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2007-6755                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2010-0928    │          │                   │                  │ openssl: RSA authentication weakness                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2010-0928                    │
├───────────┼──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl   │ CVE-2022-1292    │ CRITICAL │                   │ 1.1.1n-0+deb11u2 │ c_rehash script allows command injection                     │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-2068    │          │                   │ 1.1.1n-0+deb11u3 │ the c_rehash script allows command injection                 │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-0778    │ HIGH     │                   │ 1.1.1k-1+deb11u2 │ Infinite loop in BN_mod_sqrt() reachable when parsing        │
│           │                  │          │                   │                  │ certificates                                                 │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-0778                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-4450    │          │                   │ 1.1.1n-0+deb11u4 │ double free after calling PEM_read_bio_ex                    │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4450                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0215    │          │                   │                  │ use-after-free following BIO_new_NDEF                        │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0215                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0286    │          │                   │                  │ X.400 address type confusion in X.509 GeneralName            │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0286                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0464    │          │                   │ 1.1.1n-0+deb11u5 │ Denial of service by excessive resource usage in verifying   │
│           │                  │          │                   │                  │ X509 policy constraints...                                   │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0464                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2021-4160    │ MEDIUM   │                   │ 1.1.1k-1+deb11u2 │ openssl: Carry propagation bug in the MIPS32 and MIPS64      │
│           │                  │          │                   │                  │ squaring procedure                                           │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-4160                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-2097    │          │                   │ 1.1.1n-0+deb11u4 │ AES OCB fails to encrypt some bytes                          │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-4304    │          │                   │                  │ timing attack in RSA Decryption implementation               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4304                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0465    │          │                   │ 1.1.1n-0+deb11u5 │ Invalid certificate policies in leaf certificates are        │
│           │                  │          │                   │                  │ silently ignored                                             │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0465                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0466    │          │                   │                  │ Certificate policy check not enabled                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0466                    │
│           ├──────────────────┤          │                   │                  ├──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-2650    │          │                   │                  │ Possible DoS translating ASN.1 object identifiers            │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-2650                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-3446    │          │                   │                  │ Excessive time spent checking DH keys and parameters         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3446                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2023-3817    │          │                   │                  │ Excessive time spent checking DH q parameter value           │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3817                    │
│           ├──────────────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2007-6755    │ LOW      │                   │                  │ Dual_EC_DRBG: weak pseudo random number generator            │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2007-6755                    │
│           ├──────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2010-0928    │          │                   │                  │ openssl: RSA authentication weakness                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2010-0928                    │
└───────────┴──────────────────┴──────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘

@MattiasAng
Update to latest base distroless image
64a3730 
The current image contains several critical vulnerabilities for OpenSSL, libc and libssl
@MattiasAng MattiasAng changed the title Update to latest base distroless image Update access plugins image to latest base distroless image Sep 15, 2023
@marcoandredinis marcoandredinis mentioned this pull request Sep 25, 2023
Closed
@marcoandredinis
Copy link
Copy Markdown
Contributor

marcoandredinis commented Sep 25, 2023

We can't run PR checks against external contributors.
I've create a buddy PR here with your change #924
It also updates another docker image we use.

Thank you for your contribution 🙏

@MattiasAng MattiasAng deleted the patch-1 branch September 25, 2023 08:53
reedloden added a commit that referenced this pull request Sep 25, 2023
@reedloden
Update base docker images to use Debian 12 distroless base image
6d64f30 
Instead of chasing ever-changing commit hashes, just use the apppropriate
tag for the distroless image. This aligns things to how `teleport` is handled.

Additionally, standardize on Debian 12 for everything (instead of a mix of 11 and 12).

Alternative to #924 and #915.
@reedloden reedloden mentioned this pull request Sep 25, 2023
Merged
@reedloden reedloden added the security Security Issues label Sep 25, 2023
reedloden added a commit that referenced this pull request Sep 26, 2023
@reedloden
Update base docker images to use Debian 12 distroless base image
edc30fd 
Instead of chasing ever-changing commit hashes, just use the apppropriate
tag for the distroless image. This aligns things to how `teleport` is handled.

Additionally, standardize on Debian 12 for everything (instead of a mix of 11 and 12).

Alternative to #924 and #915.
reedloden added a commit that referenced this pull request Sep 26, 2023
@reedloden
Update base docker images to use Debian 12 distroless base image
b02a444 
Instead of chasing ever-changing commit hashes, just use the apppropriate
tag for the distroless image. This aligns things to how `teleport` is handled.

Additionally, standardize on Debian 12 for everything (instead of a mix of 11 and 12).

Alternative to #924 and #915.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@klizhentas klizhentas Awaiting requested review from klizhentas klizhentas is a code owner

@russjones russjones Awaiting requested review from russjones russjones is a code owner

@r0mant r0mant Awaiting requested review from r0mant r0mant is a code owner

@Joerger Joerger Awaiting requested review from Joerger Joerger is a code owner

@tcsc tcsc Awaiting requested review from tcsc tcsc is a code owner

@zmb3 zmb3 Awaiting requested review from zmb3 zmb3 is a code owner

@camscale camscale Awaiting requested review from camscale camscale is a code owner

@fheinecke fheinecke Awaiting requested review from fheinecke fheinecke is a code owner

Assignees

No one assigned

Labels

security Security Issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MattiasAng @marcoandredinis @reedloden