Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple high-severity vulnerabilities in Docker image #2361

Open
WillStephen opened this issue Feb 9, 2024 · 2 comments · May be fixed by #2380
Open

Multiple high-severity vulnerabilities in Docker image #2361

WillStephen opened this issue Feb 9, 2024 · 2 comments · May be fixed by #2380
Assignees
@EmmaZhu
Labels
dependencies Pull requests that update a dependency file

Comments

@WillStephen
Copy link
Contributor

WillStephen commented Feb 9, 2024
edited

The latest Docker image fails Trivy scans with five high-severity CVEs. There are two in the base image and three in Azurite itself.

$ docker run aquasec/trivy image mcr.microsoft.com/azure-storage/azurite:latest --severity HIGH,CRITICAL

mcr.microsoft.com/azure-storage/azurite:latest (alpine 3.17.3)
==============================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ fixed  │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │        │                   │               │                                                        │
│ libssl3    │               │          │        │                   │               │                                                        │
│            │               │          │        │                   │               │                                                        │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Node.js (node-pkg)
==================
Total: 4 (HIGH: 4, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │  Status  │ Installed Version │       Fixed Version        │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ ansi-regex (package.json)           │ CVE-2021-3807  │ HIGH     │ fixed    │ 3.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1 │ nodejs-ansi-regex: Regular expression denial of service    │
│                                     │                │          │          │                   │                            │ (ReDoS) matching ANSI escape codes                         │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                  │
│                                     │                │          │          ├───────────────────┤                            │                                                            │
│                                     │                │          │          │ 4.1.0             │                            │                                                            │
│                                     │                │          │          │                   │                            │                                                            │
│                                     │                │          │          │                   │                            │                                                            │
├─────────────────────────────────────┼────────────────┤          │          ├───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │          │          │ 3.8.1             │ 4.1.1                      │ http-cache-semantics: Regular Expression Denial of Service │
│                                     │                │          │          │                   │                            │ (ReDoS) vulnerability                                      │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-25881                 │
├─────────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ ip (package.json)                   │ CVE-2023-42282 │          │ affected │ 1.1.5             │                            │ An issue in NPM IP Package v.1.1.8 and before allows an    │
│                                     │                │          │          │                   │                            │ attacker...                                                │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2023-42282                 │
└─────────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────────────────┴────────────────────────────────────────────────────────────┘

We'd love to use Azurite but this is a bit of a problem for us - is there anyone working on updating the dependencies to fix these?
@levpachmanov
Copy link

Hi @WillStephen,

Unfortunately, the library is no longer maintained, so there is no public solution.

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.5-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

@blueww blueww added the dependencies Pull requests that update a dependency file label Feb 19, 2024
@blueww
Copy link
Member

blueww commented Feb 19, 2024

@EmmaZhu

Would you please help to look at the dependency issue?

justinwyer added a commit to justinwyer/Azurite that referenced this issue Mar 21, 2024
@justinwyer
Fixes Azure#2361
ac1b8bf
justinwyer added a commit to justinwyer/Azurite that referenced this issue Mar 21, 2024
@justinwyer
Fixes Azure#2361
eb05f9d
@justinwyer justinwyer linked a pull request Mar 22, 2024 that will close this issue
Draft
justinwyer added a commit to justinwyer/Azurite that referenced this issue Mar 22, 2024
@justinwyer
Fixes Azure#2361
19d0a44 
 * Upgrade docker base image to node:20-alpine3.19
 * Upgrade tedious to 16.7.1 that supports node 20
 * Moved npm prepare script to prepack & prepublishOnly as prepare incorrectly runs during npm install --production see npm/cli#4027
justinwyer added a commit to justinwyer/Azurite that referenced this issue Mar 22, 2024
@justinwyer
Fixes Azure#2361
f9a2037 
 * Upgrade docker base image to node:20-alpine3.19
 * Upgrade tedious to 16.7.1 that supports node 20
 * Moved npm prepare script to prepack, prepublishOnly & postinstallas & added `--ignore-scripts` as prepare does not respect `--ignore-scripts` see npm/cli#3707
justinwyer added a commit to justinwyer/Azurite that referenced this issue Mar 22, 2024
@justinwyer
Fixes Azure#2361
a8580fd 
 * Upgrade docker base image to node:20-alpine3.19
 * Upgrade tedious to 16.7.1 that supports node 20
 * Moved npm prepare script to prepack, prepublishOnly & postinstallas & added `--ignore-scripts` as prepare does not respect `--ignore-scripts` see npm/cli#3707
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EmmaZhu EmmaZhu

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
4 participants
@EmmaZhu @blueww @WillStephen @levpachmanov