We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
alpine based images use libcrypto3 version 3.3.1-r0 libssl3 version 3.3.1-r0 that are reported to be susceptible to CVE-2024-5535
libcrypto3 version 3.3.1-r0
libssl3 version 3.3.1-r0
use Anchore grype tool to scan sdk, runtime-deps built image and You get something like this
$ grype mcr.microsoft.com/dotnet/sdk:8.0-alpine ✔ Vulnerability DB [no update available] ✔ Loaded image mcr.microsoft.com/dotnet/sdk:8.0-alpine ✔ Parsed image sha256:b11cdb741756c274313c967bbbdd97f1a6912b7162cfa2fd6865f04f460b6337 ✔ Cataloged packages [3817 packages] ✔ Scanned for vulnerabilities [9 vulnerability matches] ├── by severity: 2 critical, 1 high, 2 medium, 1 low, 0 negligible (3 unknown) └── by status: 4 fixed, 5 not-fixed, 0 ignored [0010] WARN cataloger failed cataloger=sbom-cataloger error=sbom format not recognized location=/usr/share/powershell/.store/powershell.linux.alpine/7.4.3/powershell.linux.alpine/7.4.3/too NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY curl 8.5.0-r0 apk CVE-2024-2398 High curl 8.5.0-r0 apk CVE-2024-0853 Medium curl 8.5.0-r0 apk CVE-2024-2004 Low curl 8.5.0-r0 apk CVE-2024-2466 Unknown libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown nghttp2-libs 1.58.0-r0 apk CVE-2024-28182 Medium
Github automated scanning cought this for me. Also docker.com lists alpine as being affected here
https://hub.docker.com/layers/library/alpine/3.20/images/sha256-dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76?context=repo&tab=vulnerabilities
docker version
docker info
The text was updated successfully, but these errors were encountered:
There's no NVD score for CVE-2024-5535 yet, but given GitHub rates it as Critical, I rebuilt the Alpine images with the new OpenSSL version.
With Trivy:
PS> docker pull mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20 ... Digest: sha256:ce27c5bb26805aeeb726ae50b2f17bf58bef3818aeb9e189d2b8b7e25fcd46dc PS> docker run --rm aquasec/trivy image mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20 ... mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20 (alpine 3.20.1) ==================================================================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
You verify all the Alpine tags have been updated by checking the "last modified" column on MAR: https://mcr.microsoft.com/product/dotnet/runtime-deps/tags
Sorry, something went wrong.
No branches or pull requests
Describe the Bug
alpine based images use
libcrypto3 version 3.3.1-r0
libssl3 version 3.3.1-r0
that are reported to be susceptible to CVE-2024-5535
Steps to Reproduce
use Anchore grype tool to scan sdk, runtime-deps built image and You get something like this
Other Information
Github automated scanning cought this for me. Also docker.com lists alpine as being affected here
https://hub.docker.com/layers/library/alpine/3.20/images/sha256-dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76?context=repo&tab=vulnerabilities
Output of
docker version
Output of
docker info
The text was updated successfully, but these errors were encountered: