Docker Image Contains Multiple CVEs

[azfar26]

I tried importing the mongo:5.0.6-focal image, but my security tool (Twistlock) detects multiple vulnerable Go packages and failed the import process (for criticals and highs). Refer to the table below.

Going through the source code, I don't see any explicit Go dependencies except for Gosu. This dependency might be causing the issue. I tried going through issues at tianon/gosu repo and found out that several people have reported about this. But the owner said that the CVEs does not affect gosu and won't be fixed just yet.

What can we do to resolve this problem? This issue has impacted other Docker images that used Go as their dependencies as well. Refer to the list of issues here. As more people are using security tools, this issue will keep appearing until the base Go version has been updated.

Scan results for image mongo:5.0.6-focal

CVE	SEVERITY	CVSS	PACKAGE	VERSION	STATUS	PUBLISHED	LINK
CVE-2021-38297	critical	9.8	go	1.13.10	fixed in 1.17.2, 1.16.9	2021-10-18	https://nvd.nist.gov/vuln/detail/CVE-2021-38297
CVE-2021-38297	critical	9.8	go	1.16.7	fixed in 1.17.2, 1.16.9	2021-10-18	https://nvd.nist.gov/vuln/detail/CVE-2021-38297
CVE-2022-23806	critical	9.1	go	1.13.10	fixed in 1.17.7, 1.16.14	2022-02-11	https://nvd.nist.gov/vuln/detail/CVE-2022-23806
CVE-2022-23806	critical	9.1	go	1.16.7	fixed in 1.17.7, 1.16.14	2022-02-11	https://nvd.nist.gov/vuln/detail/CVE-2022-23806
CVE-2022-23773	high	7.5	go	1.13.10	fixed in 1.17.7, 1.16.14	2022-02-11	https://nvd.nist.gov/vuln/detail/CVE-2022-23773
CVE-2022-23773	high	7.5	go	1.16.7	fixed in 1.17.7, 1.16.14	2022-02-11	https://nvd.nist.gov/vuln/detail/CVE-2022-23773
CVE-2022-23772	high	7.5	go	1.13.10	fixed in 1.17.7, 1.16.14	2022-02-11	https://nvd.nist.gov/vuln/detail/CVE-2022-23772
CVE-2022-23772	high	7.5	go	1.16.7	fixed in 1.17.7, 1.16.14	2022-02-11	https://nvd.nist.gov/vuln/detail/CVE-2022-23772
CVE-2021-44716	high	7.5	go	1.13.10	fixed in 1.17.5, 1.16.12	2022-01-01	https://nvd.nist.gov/vuln/detail/CVE-2021-44716
CVE-2021-44716	high	7.5	go	1.16.7	fixed in 1.17.5, 1.16.12	2022-01-01	https://nvd.nist.gov/vuln/detail/CVE-2021-44716
CVE-2021-41772	high	7.5	go	1.13.10	fixed in 1.17.3, 1.16.10	2021-11-08	https://nvd.nist.gov/vuln/detail/CVE-2021-41772
CVE-2021-41772	high	7.5	go	1.16.7	fixed in 1.17.3, 1.16.10	2021-11-08	https://nvd.nist.gov/vuln/detail/CVE-2021-41772
CVE-2021-41771	high	7.5	go	1.13.10	fixed in 1.17.3, 1.16.10	2021-11-08	https://nvd.nist.gov/vuln/detail/CVE-2021-41771
CVE-2021-41771	high	7.5	go	1.16.7	fixed in 1.17.3, 1.16.10	2021-11-08	https://nvd.nist.gov/vuln/detail/CVE-2021-41771
CVE-2021-39293	high	7.5	go	1.13.10	fixed in 1.17.1, 1.16.8	2022-01-24	https://nvd.nist.gov/vuln/detail/CVE-2021-39293
CVE-2021-39293	high	7.5	go	1.16.7	fixed in 1.17.1, 1.16.8	2022-01-24	https://nvd.nist.gov/vuln/detail/CVE-2021-39293
CVE-2021-33198	high	7.5	go	1.13.10	fixed in 1.16.5, 1.15.13	2021-08-02	https://nvd.nist.gov/vuln/detail/CVE-2021-33198
CVE-2021-33196	high	7.5	go	1.13.10	fixed in 1.16.5, 1.15.13	2021-08-02	https://nvd.nist.gov/vuln/detail/CVE-2021-33196
CVE-2021-33194	high	7.5	go	1.13.10	None	2021-05-26	https://nvd.nist.gov/vuln/detail/CVE-2021-33194
CVE-2021-29923	high	7.5	go	1.13.10	fixed in 1.17	2021-08-07	https://nvd.nist.gov/vuln/detail/CVE-2021-29923
CVE-2021-29923	high	7.5	go	1.16.7	fixed in 1.17	2021-08-07	https://nvd.nist.gov/vuln/detail/CVE-2021-29923
CVE-2021-27918	high	7.5	go	1.13.10	fixed in 1.16.1, 1.15.9	2021-03-11	https://nvd.nist.gov/vuln/detail/CVE-2021-27918
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-29652	high	7.5	golang.org/x/crypto	v0.0.0-20200302210943-78000ba7a073	fixed in v0.0.0-20201216223049-8b5274cf687f	2020-12-17	https://nvd.nist.gov/vuln/detail/CVE-2020-29652
CVE-2020-28367	high	7.5	go	1.13.10	fixed in 1.15.5, 1.14.12	2020-11-18	https://nvd.nist.gov/vuln/detail/CVE-2020-28367
CVE-2020-28366	high	7.5	go	1.13.10	fixed in 1.15.5, 1.14.12	2020-11-18	https://nvd.nist.gov/vuln/detail/CVE-2020-28366
CVE-2020-28362	high	7.5	go	1.13.10	fixed in 1.15.4, 1.14.12	2020-11-18	https://nvd.nist.gov/vuln/detail/CVE-2020-28362
CVE-2020-16845	high	7.5	go	1.13.10	fixed in 1.14.7, 1.13.15	2020-08-06	https://nvd.nist.gov/vuln/detail/CVE-2020-16845
CVE-2021-33195	high	7.3	go	1.13.10	fixed in 1.16.5, 1.15.13	2021-08-02	https://nvd.nist.gov/vuln/detail/CVE-2021-33195
CVE-2022-24407	high	None	cyrus-sasl2	2.1.27+dfsg-2	fixed in 2.1.27+dfsg-2ubuntu0.1	2022-02-22	https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-24407
CVE-2021-34558	medium	6.5	go	1.13.10	None	2021-07-15	https://nvd.nist.gov/vuln/detail/CVE-2021-34558
CVE-2021-3114	medium	6.5	go	1.13.10	fixed in 1.15.7, 1.14.14	2021-01-26	https://nvd.nist.gov/vuln/detail/CVE-2021-3114
CVE-2020-24553	medium	6.1	go	1.13.10	fixed in 1.15.1, 1.14.8	2020-09-02	https://nvd.nist.gov/vuln/detail/CVE-2020-24553
CVE-2021-36221	medium	5.9	go	1.13.10	fixed in 1.16.7, 1.15.15	2021-08-08	https://nvd.nist.gov/vuln/detail/CVE-2021-36221
CVE-2021-31525	medium	5.9	go	1.13.10	fixed in 1.16.4, 1.15.12	2021-05-27	https://nvd.nist.gov/vuln/detail/CVE-2021-31525
CVE-2020-15586	medium	5.9	go	1.13.10	fixed in 1.14.5, 1.13.13	2020-07-17	https://nvd.nist.gov/vuln/detail/CVE-2020-15586
CVE-2020-29510	medium	5.6	go	1.13.10	None	2020-12-14	https://nvd.nist.gov/vuln/detail/CVE-2020-29510
CVE-2021-33197	medium	5.3	go	1.13.10	fixed in 1.16.5, 1.15.13	2021-08-02	https://nvd.nist.gov/vuln/detail/CVE-2021-33197
CVE-2020-14039	medium	5.3	go	1.13.10	fixed in 1.14.5, 1.13.13	2020-07-17	https://nvd.nist.gov/vuln/detail/CVE-2020-14039
CVE-2021-3996	medium	None	util-linux	2.34-0.1ubuntu9.1	fixed in 2.34-0.1ubuntu9.3	2022-01-24	https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3996
CVE-2021-3995	medium	None	util-linux	2.34-0.1ubuntu9.1	fixed in 2.34-0.1ubuntu9.3	2022-01-24	https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3995

Vulnerabilities found for image mongo:5.0.6-focal: total - 47, critical - 4, high - 32, medium - 11, low - 0

[wglambert]

The majority of the CVE's on that list are go and golang which aren't in the image. It's extrapolating that since gosu is a compiled Go binary that go must be in the image. So essentially they're false positives and what's left are the two at the end about util-linux; an Unauthorized unmount of FUSE filesystems belonging to users with similar uid which doesn't seem relevant to a container environment

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

---

These are the packages that can be updated

$ docker run -it --rm mongo:5.0.6 bash
root@e73835c9acf7:/# apt update
Ign:1 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 InRelease
Get:2 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release [4406 B]
Get:3 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:5 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release.gpg [801 B]
Get:6 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0/multiverse amd64 Packages [12.3 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [25.8 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1580 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:12 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [982 kB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [842 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [2008 kB]
Get:18 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1136 kB]
Get:19 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [29.4 kB]
Get:20 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [1052 kB]
Get:21 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [25.2 kB]
Get:22 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [50.8 kB]
Fetched 21.2 MB in 4s (5911 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
13 packages can be upgraded. Run 'apt list --upgradable' to see them.

root@e73835c9acf7:/# apt list --upgradable
Listing... Done
base-files/focal-updates 11ubuntu5.5 amd64 [upgradable from: 11ubuntu5.4]
bsdutils/focal-updates,focal-security 1:2.34-0.1ubuntu9.3 amd64 [upgradable from: 1:2.34-0.1ubuntu9.1]
fdisk/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
libblkid1/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
libfdisk1/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
libmount1/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
libsasl2-2/focal-updates,focal-security 2.1.27+dfsg-2ubuntu0.1 amd64 [upgradable from: 2.1.27+dfsg-2]
libsasl2-modules-db/focal-updates,focal-security 2.1.27+dfsg-2ubuntu0.1 amd64 [upgradable from: 2.1.27+dfsg-2]
libsmartcols1/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
libuuid1/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
mongodb-mongosh/focal 1.2.2 amd64 [upgradable from: 1.1.9]
mount/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]
util-linux/focal-updates,focal-security 2.34-0.1ubuntu9.3 amd64 [upgradable from: 2.34-0.1ubuntu9.1]

And for the other non-go related CVE there isn't a cyrus-sasl package in the image, it's just libsasl2

root@c0d5d1093629:/# find / | grep -i cyrus
root@c0d5d1093629:/# find / | grep -i sasl
/var/lib/dpkg/info/libsasl2-2:amd64.list
/var/lib/dpkg/info/libsasl2-modules-db:amd64.md5sums
/var/lib/dpkg/info/libsasl2-2:amd64.shlibs
/var/lib/dpkg/info/libsasl2-modules-db:amd64.list
/var/lib/dpkg/info/libsasl2-2:amd64.triggers
/var/lib/dpkg/info/libsasl2-2:amd64.md5sums
/usr/share/doc/libsasl2-2
/usr/share/doc/libsasl2-2/changelog.Debian.gz
/usr/share/doc/libsasl2-2/copyright
/usr/share/doc/libsasl2-2/NEWS.Debian.gz
/usr/share/doc/libsasl2-modules-db
/usr/share/doc/libsasl2-modules-db/changelog.Debian.gz
/usr/share/doc/libsasl2-modules-db/copyright
/usr/lib/x86_64-linux-gnu/libsasl2.so.2
/usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2
/usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so
/usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so.2.0.25
/usr/lib/sasl2

So you could adjust your CVE policy to account for those that aren't relevant in a container environment or are false positives

[azfar26]

Thanks for the plenty of resources! Didn't realized this issue has been discussed for several years. I'd investigate more whenever new CVEs come up from Docker images from now on.