Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency vulernability report #287

Open
anthonator opened this issue Dec 23, 2021 · 3 comments
Open

Dependency vulernability report #287

anthonator opened this issue Dec 23, 2021 · 3 comments

Comments

@anthonator
Copy link

This report was generated using trivy for Docker image joohoi/acme-dns:latest.

Command used

$> trivy image joohoi/acme-dns:latest

Alpine related vulnerabilities

joohoi/acme-dns:latest (alpine 3.12.3)
======================================
Total: 38 (UNKNOWN: 0, LOW: 2, MEDIUM: 6, HIGH: 27, CRITICAL: 3)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools    | CVE-2021-36159   | CRITICAL | 2.10.5-r1         | 2.10.7-r0     | libfetch before 2021-07-26, as        |
|              |                  |          |                   |               | used in apk-tools, xbps, and          |
|              |                  |          |                   |               | other products, mishandles...         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-30139   | HIGH     |                   | 2.10.6-r0     | In Alpine Linux apk-tools             |
|              |                  |          |                   |               | before 2.12.5, the tarball            |
|              |                  |          |                   |               | parser allows a buffer...             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-30139 |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| busybox      | CVE-2021-28831   |          | 1.31.1-r19        | 1.32.1-r4     | busybox: invalid free or segmentation |
|              |                  |          |                   |               | fault via malformed gzip data         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-42378   |          |                   | 1.31.1-r21    | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   |               | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711    | CRITICAL | 1.1.1i-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23840   | HIGH     |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3712    |          |                   | 1.1.1l-r0     | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23841   | MEDIUM   |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in signature_algorithms processing    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+                   +---------------+---------------------------------------+
| libssl1.1    | CVE-2021-3711    | CRITICAL |                   | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23840   | HIGH     |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3712    |          |                   | 1.1.1l-r0     | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23841   | MEDIUM   |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in signature_algorithms processing    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2021-28831   | HIGH     | 1.31.1-r19        | 1.32.1-r4     | busybox: invalid free or segmentation |
|              |                  |          |                   |               | fault via malformed gzip data         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-42378   |          |                   | 1.31.1-r21    | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   |               | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

acme-dns related vulnerabilities

root/acme-dns (gobinary)
========================
Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |            FIXED VERSION             |                 TITLE                 |
+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
| github.com/miekg/dns | CVE-2019-19794   | MEDIUM   | v1.1.22                            | 1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable  |
|                      |                  |          |                                    |                                      | TXID can lead to response forgeries   |
|                      |                  |          |                                    |                                      | -->avd.aquasec.com/nvd/cve-2019-19794 |
+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
| golang.org/x/crypto  | CVE-2020-29652   | HIGH     | v0.0.0-20191011191535-87dc89f01550 | v0.0.0-20201216223049-8b5274cf687f   | golang: crypto/ssh: crafted           |
|                      |                  |          |                                    |                                      | authentication request can            |
|                      |                  |          |                                    |                                      | lead to nil pointer dereference       |
|                      |                  |          |                                    |                                      | -->avd.aquasec.com/nvd/cve-2020-29652 |
+----------------------+------------------+          +------------------------------------+--------------------------------------+---------------------------------------+
| golang.org/x/text    | CVE-2020-14040   |          | v0.3.2                             | 0.3.3                                | golang.org/x/text: possibility        |
|                      |                  |          |                                    |                                      | to trigger an infinite loop in        |
|                      |                  |          |                                    |                                      | encoding/unicode could lead to...     |
|                      |                  |          |                                    |                                      | -->avd.aquasec.com/nvd/cve-2020-14040 |
+                      +------------------+----------+                                    +--------------------------------------+---------------------------------------+
|                      | CVE-2021-38561   | UNKNOWN  |                                    | 0.3.7                                | -->avd.aquasec.com/nvd/cve-2021-38561 |
+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
@anthonator anthonator changed the title Security report Vulernability report Dec 23, 2021
@anthonator anthonator changed the title Vulernability report Dependency vulernability report Dec 23, 2021
@anthonator
Copy link
Author

anthonator commented Dec 23, 2021
edited
Loading

Sorry for the churn in the title. I didn't want to needlessly scare anyone.

This is a report from trivy on vulnerabilities detected for the Docker image joohoi/acme-dns:latest (I'm assuming this is maintained by @joohoi). Since this is a public image I thought it was important to report on vulnerabilities within the base Alpine image as well as the Go dependencies of acme-dns.

I was able to resolve CVE-2019-19794, CVE-2020-29652 and CVE-2020-14040 by updating to the latest versions of github.com/miekg/dns and golang.org/x/crypto. The only vulnerability left is CVE-2021-38561 which currently has a severity of UNKNOWN.

The steps needed to resolve the vulnerabilities in the manner I described above are:

  1. Update the base Docker image to the latest version of Alpine (as of now that would be 3.15.0) in Dockerfile
  2. Update dependency github.com/miekg/dns to version v1.1.45 at go.mod:24
  3. Update dependency golang.org/x/crypto to version v0.0.0-20211215153901-e495a2d5b3d3 at go.mod:35

My hope is this report will encourage the maintainers of this project to update this project's dependencies so these issues can be resolved. I would also encourage automating dependency updates using a tool like Dependabot or Renovate.

I would submit a pull request for these issues myself but it doesn't look like this project has seen much attention recently and a lot of issues and pull requests have gone unanswered so I don't want to spend more time on this unless I get a 👍 from someone who could merge a pull request.

@joohoi
Copy link
Owner

joohoi commented Jan 25, 2022

Thanks for this report, it's highly appreciated. I had to make some changes to how certmagic is used because they updated their whole API between the versions, but I believe I have everything sorted out now... Well except CVE-2021-38561 that seems to still be unpublished.

@joohoi joohoi mentioned this issue Jan 25, 2022
Merged
@hstock
Copy link

hstock commented Jan 27, 2023

image might need a rebuild with Alpine security updates:

NAME  INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY 
zlib  1.2.12-r1  1.2.12-r2  apk   CVE-2022-37434  Critical

(Report created by grype)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hstock @anthonator @joohoi