Vulnerabilities Detected in Reacher Docker Image (latest) - Request for Update #1502

zieddhf · 2024-08-19T08:16:58Z

zieddhf
Aug 19, 2024

Hello,

I recently tested Reacher Docker image version latest for vulnerabilities using Trivy. The scan revealed a significant number of vulnerabilities in the packages installed within the image.

Key Vulnerabilities Detected:

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox      | CVE-2021-42378   | HIGH     | 1.33.1-r3         | 1.33.1-r6     | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2022-28391   |          |                   | 1.33.1-r7     | busybox: remote attackers may execute |
|              |                  |          |                   |               | arbitrary code if netstat is used     |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   | 1.33.1-r4     | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-42375   |          |                   | 1.33.1-r5     | busybox: incorrect handling           |
|              |                  |          |                   |               | of a special element in               |
|              |                  |          |                   |               | ash applet leads to...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42375 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2022-0778    | HIGH     | 1.1.1l-r0         | 1.1.1n-r0     | openssl: Infinite loop in             |
|              |                  |          |                   |               | BN_mod_sqrt() reachable               |
|              |                  |          |                   |               | when parsing certificates             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0778  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2023-0286    |          |                   | 1.1.1t-r0     | X.400 address type confusion          |
|              |                  |          |                   |               | in X.509 GeneralName                  |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0286  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2022-2097    | MEDIUM   |                   | 1.1.1q-r0     | openssl: AES OCB fails                |
|              |                  |          |                   |               | to encrypt some bytes                 |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-2097  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2022-4304    |          |                   | 1.1.1t-r0     | Timing Oracle in RSA Decryption       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4304  |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-4450    |          |                   |               | Double free after                     |
|              |                  |          |                   |               | calling PEM_read_bio_ex               |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4450  |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2023-0215    |          |                   |               | Use-after-free                        |
|              |                  |          |                   |               | following BIO_new_NDEF                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0215  |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libretls     | CVE-2022-0778    | HIGH     | 3.3.3p1-r2        | 3.3.3p1-r3    | openssl: Infinite loop in             |
|              |                  |          |                   |               | BN_mod_sqrt() reachable               |
|              |                  |          |                   |               | when parsing certificates             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0778  |
+--------------+                  +          +-------------------+---------------+                                       +
| libssl1.1    |                  |          | 1.1.1l-r0         | 1.1.1n-r0     |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2023-0286    |          |                   | 1.1.1t-r0     | X.400 address type confusion          |
|              |                  |          |                   |               | in X.509 GeneralName                  |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0286  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2022-2097    | MEDIUM   |                   | 1.1.1q-r0     | openssl: AES OCB fails                |
|              |                  |          |                   |               | to encrypt some bytes                 |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-2097  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2022-4304    |          |                   | 1.1.1t-r0     | Timing Oracle in RSA Decryption       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4304  |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-4450    |          |                   |               | Double free after                     |
|              |                  |          |                   |               | calling PEM_read_bio_ex               |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4450  |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2023-0215    |          |                   |               | Use-after-free                        |
|              |                  |          |                   |               | following BIO_new_NDEF                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0215  |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2021-42378   | HIGH     | 1.33.1-r3         | 1.33.1-r6     | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2022-28391   |          |                   | 1.33.1-r7     | busybox: remote attackers may execute |
|              |                  |          |                   |               | arbitrary code if netstat is used     |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   | 1.33.1-r4     | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-42375   |          |                   | 1.33.1-r5     | busybox: incorrect handling           |
|              |                  |          |                   |               | of a special element in               |
|              |                  |          |                   |               | ash applet leads to...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42375 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| zlib         | CVE-2022-37434   | CRITICAL | 1.2.11-r3         | 1.2.12-r2     | zlib: heap-based buffer               |
|              |                  |          |                   |               | over-read and overflow in             |
|              |                  |          |                   |               | inflate() in inflate.c via a...       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-37434 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2018-25032   | HIGH     |                   | 1.2.12-r0     | zlib: A flaw found in                 |
|              |                  |          |                   |               | zlib when compressing (not            |
|              |                  |          |                   |               | decompressing) certain inputs...      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-25032 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

Given the importance of maintaining a secure environment for all users, I kindly request that you consider updating the packages within the image to address these vulnerabilities.

Thank you for your attention to this matter and for your ongoing work on this project.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerabilities Detected in Reacher Docker Image (latest) - Request for Update #1502

{{title}}

Replies: 0 comments

Select a reply

Vulnerabilities Detected in Reacher Docker Image (latest) - Request for Update #1502

zieddhf Aug 19, 2024

Replies: 0 comments

zieddhf
Aug 19, 2024