Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/rabbitmq] Security bugs due to usage of old versions of "runc" #8168

Closed
guy-microsoft opened this issue Sep 28, 2022 · 4 comments
Closed

[bitnami/rabbitmq] Security bugs due to usage of old versions of "runc" #8168

guy-microsoft opened this issue Sep 28, 2022 · 4 comments
Assignees
@carrodher
Labels
rabbitmq solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@guy-microsoft
Copy link

Name and Version

bitnami/rabbitmq:3.9.22-debian-11-r15

What steps will reproduce the bug?

Docker image uses "runc" v1.0.1, which has security bugs were fixed in v1.1.2.
GHSA-f3fp-gc8g-vw66

What is the expected behavior?

No response

What do you see instead?

"runc" v1.0.1 is used, instead of >= v1.1.2.

Additional information

No response
@guy-microsoft guy-microsoft added the tech-issues The user has a technical issue about an application label Sep 28, 2022
@github-actions github-actions bot added the triage Triage is needed label Sep 28, 2022
@carrodher
Copy link
Member

Those CVEs are related to gosu whose latest version is 1.14 which is the one bundled in the Bitnami container images. In the case of bitnami/rabbitmq:

containers/bitnami/rabbitmq/3.10/debian-11/Dockerfile

Line 28 in 9b0750a

sha256sum -c gosu-1.14.0-154-linux-${OS_ARCH}-debian-11.tar.gz.sha256 && \

You can also see that gosu is not affected by these issues, as it was confirmed by its maintainer.

@github-actions
Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Oct 14, 2022
@github-actions
Copy link

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

@carrodher
Copy link
Member

Hi, we are glad to announce that we got rid of gosu in all Bitnami container images, so the false positives previously reported by some CVE scanners will not appear anymore:

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22

bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

opt/bitnami/common/bin/gosu (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH     │ v1.1.0            │ v1.1.2        │ runc: incorrect handling of inheritable capabilities       │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162                 │
│                                ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-27561 │          │                   │ v1.1.5        │ runc: volume mount race condition (regression of           │
│                                │                │          │                   │               │ CVE-2019-19921)                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561                 │
│                                ├────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769 │ MEDIUM   │                   │ v1.1.2        │ moby: Default inheritable capabilities for linux container │
│                                │                │          │                   │               │ should be empty                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24769                 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

VS

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23

bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

From now on, gosu functionalities were replaced by chroot. In this PR you can find an example of this implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carrodher carrodher

Labels
rabbitmq solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bitnami-bot @carrodher @guy-microsoft