Vulnerabilities in Docker images 3.0 and 3.11

[missingdays]

We found several vulnerabilities in Cassandra images 3.0 and 3.11

They are mostly coming from debian base image

Is there a way you could either upgrade them to newer versions or remove this packages when building Docker image?

The full list of found vulnerabilities:

In package coreutils@8.26-3:

• CVE-2017-18018

In package perl@5.24.1-3+deb9u5

• CVE-2017-12814
• CVE-2017-12837
• CVE-2017-12883
• CVE-2018-6797
• CVE-2018-6798
• CVE-2018-6913
• CVE-2018-12015
• CVE-2018-18311
• CVE-2018-18312
• CVE-2018-18313

In package python@2.7.13-2

• CVE-2013-7338
• CVE-2015-5652
• CVE-2016-1494
• CVE-2017-17522
• CVE-2017-18207
• CVE-2018-1000030
• CVE-2019-9636
• CVE-2019-9740
• CVE-2019-9947
• CVE-2019-9948

In package sensible-utils@0.0.9+deb9u1

• CVE-2017-17512

In package tar@1.29b-1.1

• CVE-2018-20482
• CVE-2019-9923

[wglambert]

See docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
And https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

---

https://security-tracker.debian.org/tracker/CVE-2017-18018
Unfixed, Neutralised by kernel hardening

https://security-tracker.debian.org/tracker/CVE-2017-12814
fixed, windows specific issue

https://security-tracker.debian.org/tracker/CVE-2017-12837
fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2017-12883
fixed, windows specific issue

https://security-tracker.debian.org/tracker/CVE-2018-6797
vulnerable in jessie, which we don't have a variant of
(Regular security support updates have been discontinued as of June 17th, 2018.)

https://security-tracker.debian.org/tracker/CVE-2018-6798
fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-6913
fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-12015
fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-18311
vulnerable in jessie, which we don't have a variant of

https://security-tracker.debian.org/tracker/CVE-2018-18312
fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-18313
fixed 5.24.1-3+deb9u5

---

https://security-tracker.debian.org/tracker/CVE-2013-7338
fixed 2.7.13-2+deb9u3

https://security-tracker.debian.org/tracker/CVE-2015-5652
NOT-FOR-US: Python on Windows

https://security-tracker.debian.org/tracker/CVE-2016-1494
(python-rsa) fixed 3.4.2-1

https://security-tracker.debian.org/tracker/CVE-2017-17522

a software maintainer indicates that exploitation is impossible because the code relies on subprocess

https://security-tracker.debian.org/tracker/CVE-2017-18207

the vendor disputes this issue
Nonsense report for Python

https://security-tracker.debian.org/tracker/CVE-2018-1000030
vulnerable, there's nothing actionable for us to do

The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code
No practical security impact, why DWF assigned a CVE ID is hard to tell

https://security-tracker.debian.org/tracker/CVE-2019-9636
vulnerable, there's nothing actionable for us to do

Improper Handling of Unicode Encoding
A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host

https://security-tracker.debian.org/tracker/CVE-2019-9740
vulnerable, there's nothing actionable for us to do

(Minor issue)
CRLF injection is possible if the attacker controls a url parameter

https://security-tracker.debian.org/tracker/CVE-2019-9947
vulnerable, there's nothing actionable for us to do

(Minor issue)
CRLF injection is possible if the attacker controls a url parameter

https://security-tracker.debian.org/tracker/CVE-2019-9948
vulnerable, there's nothing actionable for us to do

(Minor issue)
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file

---

https://security-tracker.debian.org/tracker/CVE-2017-17512
fixed, 0.0.9+deb9u1

---

https://security-tracker.debian.org/tracker/CVE-2018-20482
vulnerable, there's nothing actionable for us to do

(Minor issue)
when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service

https://security-tracker.debian.org/tracker/CVE-2019-9923
vulnerable, there's nothing actionable for us to do

Crash in CLI tool, no security impact
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

---

I don't see anything actionable for us

[missingdays]

Thank you for your thorough answer!

I see that in case of perl@5.24.1-3+deb9u5 and sensible-utils@0.0.9+deb9u1 fixes were backported, but the tool parses this versions as 5.24.1 and 0.0.9 and considers them vulnerable

In case of tar, is there a way you could upgrade it to version 1.30+dfsg-6 to fix CVE-2018-20482? I understand that this version is not in stretch release, but there are ways to install specific packages from newer versions

[tianon]

No, we aren't going to backport versions of packages just to satisfy a CVE scanner tool -- the tool should be updated to be aware of Debian's version numbering and incorporate the (freely available) Debian security database to determine whether a given CVE is actually actionable.