bitnami/minio security scan flags runc (gosu) 1.1.0 CVE-2022-29162 #26818
Comments
ed-randall-blk
added
the
tech-issues
ed-randall-blk
changed the title
|
Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application. Here you can find more info about this topic. The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, RedHat UBI 8 & 9, or custom golden image) through the VMware Tanzu Application Catalog. In this case, the one you are reporting is related to gosu. We are already including the latest version of Gosu which bundles runc 1.1.0, see https://github.com/tianon/gosu/releases/tag/1.16. You can ask Gosu maintainers to bump the runc version. Although, according to this issue, CVE 2022-29162 doesn't affect gosu and that's the reason why they are not bumping the runc version. In this mentioned issue you can find a detailed explanation about this topic. |
ed-randall-blk
changed the title
|
Thanks for the explanation, that's fine |
|
Hi, we are glad to announce that we got rid of $ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22
bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/common/bin/gosu (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH │ v1.1.0 │ v1.1.2 │ runc: incorrect handling of inheritable capabilities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29162 │
│ ├────────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-27561 │ │ │ v1.1.5 │ runc: volume mount race condition (regression of │
│ │ │ │ │ │ CVE-2019-19921) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │
│ ├────────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2022-24769 │ MEDIUM │ │ v1.1.2 │ moby: Default inheritable capabilities for linux container │
│ │ │ │ │ │ should be empty │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24769 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)VS $ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23
bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)From now on, |
Name and Version
bitnami/minio:2023.2.27-debian-11-r3
What architecture are you using?
amd64
What steps will reproduce the bug?
aquasec scan bitnami/minio:2023.2.27-debian-11-r3
Resource: github.com/opencontainers/runc
File: /opt/bitnami/common/bin/gosu
What is the expected behavior?
Image should not contain any CVEs classified CRITICAL or HIGH
What do you see instead?
runc 1.1.0 CVE-2022-29162
Additional information
No response
The text was updated successfully, but these errors were encountered: