Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

several vulnerability related to linux image #111

Open
denevers opened this issue Jan 22, 2022 · 4 comments
Open

several vulnerability related to linux image #111

denevers opened this issue Jan 22, 2022 · 4 comments

Comments

@denevers
Copy link
Collaborator

AWS identified several CVEs in the linux image running the webapp.

Name Package Severity Description
CVE-2019-25013
glibc:2.28-10 HIGH The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2021-33574
glibc:2.28-10 HIGH The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2018-12886
gcc-8:8.3.0-6 MEDIUM stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVE-2020-1751
glibc:2.28-10 MEDIUM An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2021-3326
glibc:2.28-10 MEDIUM The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-35942
glibc:2.28-10 MEDIUM The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
CVE-2021-43618
gmp:2:6.1.2+dfsg-4 MEDIUM GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.
CVE-2021-33560
libgcrypt20:1.8.4-5+deb10u1 MEDIUM Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.
CVE-2019-12290
libidn2:2.0.5-1+deb10u1 MEDIUM GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVE-2020-14155
pcre3:2:8.39-12 MEDIUM libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
CVE-2020-16156
perl:5.28.1-6+deb10u1 MEDIUM CPAN 2.28 allows Signature Verification Bypass.
CVE-2019-3844
systemd:241-7~deb10u8 MEDIUM It was discovered that a systemd service that us es DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
CVE-2019-3843
systemd:241-7~deb10u8 MEDIUM It was discovered that a systemd service that use s DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.
@denevers
Copy link
Collaborator Author

For info, current running image

 cat /etc/*-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@794f86319a74:/usr/local/tomcat#

@denevers
Copy link
Collaborator Author

I will check them all an create a separate issue, or group them, as relevant

HIGH have their own issue

also: keep this in mind : https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
to discuss with AWS security team how they feel about it.

@denevers
Copy link
Collaborator Author

@denevers
Copy link
Collaborator Author

I guess they are there because Debian basically chose not to fix them

== Too instrusive to backport

== Minor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@denevers