alpine:latest has CVE-2019-1563,CVE-2019-1549,CVE-2019-1547 for libssl1.1 and libcrypto1.1

[tgerlach]

Vulnerable Packages Found
=========================

Vulnerability ID   Policy Status   Affected Packages         How to Resolve
CVE-2019-1547      Active          libssl1.1, libcrypto1.1   Upgrade 2 packages. Re-run command with --extended to view.
CVE-2019-1549      Active          libssl1.1, libcrypto1.1   Upgrade 2 packages. Re-run command with --extended to view.
CVE-2019-1563      Active          libssl1.1, libcrypto1.1   Upgrade 2 packages. Re-run command with --extended to view.

extended view for resolution

   Vendor Security Notice IDs   Official Notice
   ALPINE-CVE-2019-1547

   Affected Packages   Policy Status   How to Resolve                         Security Notice
   libssl1.1           Active          Upgrade libssl1.1 to >= 1.1.1d-r1      ALPINE-CVE-2019-1547
   libcrypto1.1        Active          Upgrade libcrypto1.1 to >= 1.1.1d-r1   ALPINE-CVE-2019-1547

   Vendor Security Notice IDs   Official Notice
   ALPINE-CVE-2019-1549

   Affected Packages   Policy Status   How to Resolve                         Security Notice
   libssl1.1           Active          Upgrade libssl1.1 to >= 1.1.1d-r1      ALPINE-CVE-2019-1549
   libcrypto1.1        Active          Upgrade libcrypto1.1 to >= 1.1.1d-r1   ALPINE-CVE-2019-1549

  Vendor Security Notice IDs   Official Notice
   ALPINE-CVE-2019-1563

   Affected Packages   Policy Status   How to Resolve                         Security Notice
   libssl1.1           Active          Upgrade libssl1.1 to >= 1.1.1d-r1      ALPINE-CVE-2019-1563
   libcrypto1.1        Active          Upgrade libcrypto1.1 to >= 1.1.1d-r1   ALPINE-CVE-2019-1563

[ncopa]

Will try get a new release ASAP. Meanwhile, you can run apk upgrade -U -a as workaround.

[tgerlach]

thanks @ncopa I had already tried that but it only took me to 1.1.1d-r0

Step 2/3 : RUN apk update && apk upgrade -U -a
 ---> Running in 18e9b7a5a0ba
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
v3.10.2-55-g6cecf3cc9d [http://dl-cdn.alpinelinux.org/alpine/v3.10/main]
v3.10.2-42-g95d37f7648 [http://dl-cdn.alpinelinux.org/alpine/v3.10/community]
OK: 10336 distinct packages available
(1/2) Upgrading libcrypto1.1 (1.1.1c-r0 -> 1.1.1d-r0)
(2/2) Upgrading libssl1.1 (1.1.1c-r0 -> 1.1.1d-r0)
OK: 6 MiB in 14 packages

[tgerlach]

@ncopa any status update for having new release with updated packages??

[ncopa]

I was supposed to do it today, but I want squeeze in a few more kernel changes. I will try get the release out early next week

[tgerlach]

@ncopa I guess here is my weekly request of update status, again :-)

[strouja]

Whatever you can to get this done by early next week or even this weekend (I'm writing this on Oct 4, 2019) is critical for us. We are trying to release our product using alpine (I'm a big advocate for it at IBM) but we can't ship until we included these fixes. So I have a vested interest in getting these two packages patched. Thanks for you help with this, James Stroud IBM

[cobu2b]

Is this change ready? I hope that I can use this fix to resolve the reported vulnerabilities in our products soon. Thank you

[jdkelley]

@cobu2b - Currently, alpine:3.10.3 is on Docker Hub as latest and includes OpenSSL 1.1.1d-r0 which is patched for

• CVE-2019-1563
• CVE-2019-1549
• CVE-2019-1547

It looks like this issue could be closed.

[cobu2b]

Thank you @jdkelley. When I use FROM alpine:latest or FROM alpine, an image picks up Alpine 3.10.2 instead of 3.10.3. Is it expected? When I use FROM alpine:3.10.3, I can see OpenSSL 1.1.1d-r0 as expected. I try to avoid specifying the alpine version and use the stable image only. Could you please give me advice? Thank you

[jdkelley]

Interesting @cobu2b. I can't reproduce that. Have you tried clearing the old images out before building again? You can do this with docker rmi $(docker images -aq) (CAUTION: this will remove all docker images you have locally.)

When I check the version of Alpine in the alpine:latest container it is the same as the version in alpine:3.10.3.

alpine:latest:

$ docker run alpine:latest cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.10.3
PRETTY_NAME="Alpine Linux v3.10"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

alpine:3.10.3:

$ docker run alpine:3.10.3 cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.10.3
PRETTY_NAME="Alpine Linux v3.10"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

Similarly, using each of these images as a base image, I get the same result.

• With alpine:latest:

$ cat > Dockerfile <<EOF
> FROM alpine:latest
> RUN cat /etc/os-release
> EOF
$ 
$ docker build .
Sending build context to Docker daemon  126.5kB
Step 1/2 : FROM alpine:latest
 ---> 965ea09ff2eb
Step 2/2 : RUN cat /etc/os-release
 ---> Running in 5d302b63bf67
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.10.3
PRETTY_NAME="Alpine Linux v3.10"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
Removing intermediate container 5d302b63bf67
 ---> a7d2d692b963
Successfully built a7d2d692b963

• With alpine:3.10.3:

$ cat > Dockerfile <<EOF
> FROM alpine:3.10.3
> RUN cat /etc/os-release
> EOF
$
$ docker build .
Sending build context to Docker daemon  126.5kB
Step 1/2 : FROM alpine:3.10.3
 ---> 965ea09ff2eb
Step 2/2 : RUN cat /etc/os-release
 ---> Running in ef9fda68f8ab
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.10.3
PRETTY_NAME="Alpine Linux v3.10"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
Removing intermediate container ef9fda68f8ab
 ---> 07b8cbbd22e9
Successfully built 07b8cbbd22e9

---

Of Note:

I have found that using latest doesn't always behave the way I would expect. Docker doesn't go out and check that the image you have tagged as latest locally is actually the latest on Docker Hub. So, if you already have an image tagged with alpine:latest locally, your docker client will use that image.

To ensure you have the latest latest, run docker pull alpine:latest. You can make sure your build command does this by passing the --build flag to your docker build command (reference: docker build).

[cobu2b]

Thank you so much for your help, Joshua. Actually it happened as you described. My local alpine:latest is old. Running docker pull alpine:latest and rebuilding the image help.

[ingokofler]

Two months after the last comment on this issue and it seems that the issue is still unresolved.
Is there any documentation on which Docker image tags are maintained?

https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases is somehow giving the impression that 9.3 is supported until November 2020 with security bugfixes but actually the most recent Docker image with tag 9.3 contains already some CVEs?

Any guidance on this topic?

[ncopa]

Updates are on their way: docker-library/official-images#7331

Those issues was fixed long time ago in the packages and it has always been possible to get those fixes with apk upgrade.

In any case, sorry for taking so long, and thank you for your patience.

[ingokofler]

@ncopa Thanks!

Is this considered as best-practice to run apk upgrade in the Dockerfiles when building on top of alpine linux?
In the case of the alpine-based images we use I haven't seen this in the corresponding Dockerfiles... It seems that they are relying somehow that the alpine images are maintained and up-to-date.

[J0WI]

Avoid RUN apt-get upgrade and dist-upgrade, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container. If a package contained in the parent image is out-of-date, contact its maintainers. If you know there is a particular package, foo, that needs to be updated, use apt-get install -y foo to update automatically.

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get

[redbelow]

getting this with alpine 3.12.2 as well, see below

trivy image alpine:latest
2020-12-15T13:06:34.066-0600	WARN	You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2020-12-15T13:06:35.831-0600	INFO	Detecting Alpine vulnerabilities...
2020-12-15T13:06:35.832-0600	INFO	Trivy skips scanning programming language libraries because no supported file was detected

alpine:latest (alpine 3.12.2)
=============================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+--------------------------------+-----------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |                URL                |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+-----------------------------------+
| libcrypto1.1 | CVE-2020-1971    | HIGH     | 1.1.1g-r0         | 1.1.1i-r0     | The X.509 GeneralName          | avd.aquasec.com/nvd/cve-2020-1971 |
|              |                  |          |                   |               | type is a generic type         |                                   |
|              |                  |          |                   |               | for representing different     |                                   |
|              |                  |          |                   |               | types...                       |                                   |
+--------------+                  +          +                   +               +                                +                                   +
| libssl1.1    |                  |          |                   |               |                                |                                   |
|              |                  |          |                   |               |                                |                                   |
|              |                  |          |                   |               |                                |                                   |
|              |                  |          |                   |               |                                |                                   |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+-----------------------------------+

Upgrading the packages fixes it:

cat Dockerfile 
From alpine:latest

RUN apk update && apk upgrade -U -a

docker build -t local .
Sending build context to Docker daemon  1.136MB
Step 1/2 : From alpine:latest
latest: Pulling from library/alpine
05e7bc50f07f: Pull complete 
Digest: sha256:a126728cb7db157f0deb377bcba3c5e473e612d7bafc27f6bb4e5e083f9f08c2
Status: Downloaded newer image for alpine:latest
 ---> b14afc6dfb98
Step 2/2 : RUN apk update && apk upgrade -U -a
 ---> Running in af97e3b30670
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
v3.12.2-32-g434125893a [http://dl-cdn.alpinelinux.org/alpine/v3.12/main]
v3.12.2-28-g19bfc5f39e [http://dl-cdn.alpinelinux.org/alpine/v3.12/community]
OK: 12747 distinct packages available
(1/2) Upgrading libcrypto1.1 (1.1.1g-r0 -> 1.1.1i-r0)
(2/2) Upgrading libssl1.1 (1.1.1g-r0 -> 1.1.1i-r0)
OK: 6 MiB in 14 packages
Removing intermediate container af97e3b30670
 ---> f9f6a9f4fb07
Successfully built f9f6a9f4fb07
Successfully tagged local:latest

$ trivy image local:latest
2020-12-15T13:11:15.920-0600	WARN	You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2020-12-15T13:11:16.073-0600	INFO	Detecting Alpine vulnerabilities...
2020-12-15T13:11:16.073-0600	INFO	Trivy skips scanning programming language libraries because no supported file was detected

local:latest (alpine 3.12.2)
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)