[bitnami/wordpress] opencontainers runc upgrade (CVE-2022-29162) #7419
Comments
javsalgar
changed the title
|
Hi, Thank you so much for creating the issue. There is something that I don't fully understand. If the issue is in |
|
In general that is correct. But, this vulnerability is seen when the image itself is scanned - not when it is running in a container. I hoped someone on this team would know how that may be possible. I also ran the image using docker and logged into the container to try and find a runc binary but couldn't locate it on the container. So, I wasn't sure how the scan was picking it up. |
|
Which is the scanner you are using to see this vulnerability? |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
It is the Azure Cloud Defender service that scans our container registries where we deploy our images based on this image. |
|
@tsands2 Could you add the CVE identifier to the issue description? |
|
Hey @tsands2! CVE-2021-43784 comes from gosu, which we use here: The severity of the vulnerability is medium and gosu hasn't released a new version fixing it. It is one of the packages that we automatically track, so once there is a new version, we will use it: |
|
More information from the upstream project about CVEs and false-positives. |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
|
Aqua Scanner and Trivy(cli tool) both from aquasec.com flag runc as vulnerable. More details here: |
|
tsands2
changed the title
|
Hi, we are glad to announce that we got rid of $ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22
bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/common/bin/gosu (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH │ v1.1.0 │ v1.1.2 │ runc: incorrect handling of inheritable capabilities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29162 │
│ ├────────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-27561 │ │ │ v1.1.5 │ runc: volume mount race condition (regression of │
│ │ │ │ │ │ CVE-2019-19921) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │
│ ├────────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2022-24769 │ MEDIUM │ │ v1.1.2 │ moby: Default inheritable capabilities for linux container │
│ │ │ │ │ │ should be empty │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24769 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)VS $ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23
bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)From now on, |
Name and Version
bitnami/wordpress:6.0.2-debian-11-r8
What is the problem this feature will solve?
We are getting vulnerability reports when scanning images built with this image for opencontainers/runc. The specific details are:
Security update has been released for github.com/opencontainers/runc to fix the vulnerability.
The patch for this is d72d057ba794164c3cce9451a00b72a78b25e1ae and runc 1.0.3 was released with this bug fixed.Workaround: To the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
Patch:
Following are links for downloading patches to fix the vulnerabilities: GHSA-v95c-p5hm-xq8f
What is the feature you are proposing to solve the problem?
I believe this would be foundational to all images - not just the wordpress one I am using.
What alternatives have you considered?
None.
The text was updated successfully, but these errors were encountered: