Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alpine based sdk,runtime-deps with alpine-3.19 and alpine-3.20 ar affected by CVE-2024-5535 #5653

Closed
ChaosEngine opened this issue Jul 5, 2024 · 1 comment
Closed

Alpine based sdk,runtime-deps with alpine-3.19 and alpine-3.20 ar affected by CVE-2024-5535 #5653

ChaosEngine opened this issue Jul 5, 2024 · 1 comment
Labels
area-dockerfiles bug untriaged

Comments

@ChaosEngine
Copy link

Describe the Bug

alpine based images use
libcrypto3 version 3.3.1-r0
libssl3 version 3.3.1-r0
that are reported to be susceptible to CVE-2024-5535

Steps to Reproduce

use Anchore grype tool to scan sdk, runtime-deps built image and You get something like this

$ grype mcr.microsoft.com/dotnet/sdk:8.0-alpine
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                     mcr.microsoft.com/dotnet/sdk:8.0-alpine
 ✔ Parsed image                                                                                                     sha256:b11cdb741756c274313c967bbbdd97f1a6912b7162cfa2fd6865f04f460b6337
 ✔ Cataloged packages              [3817 packages]
 ✔ Scanned for vulnerabilities     [9 vulnerability matches]
   ├── by severity: 2 critical, 1 high, 2 medium, 1 low, 0 negligible (3 unknown)
   └── by status:   4 fixed, 5 not-fixed, 0 ignored
[0010]  WARN cataloger failed cataloger=sbom-cataloger error=sbom format not recognized location=/usr/share/powershell/.store/powershell.linux.alpine/7.4.3/powershell.linux.alpine/7.4.3/too
NAME          INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY
curl          8.5.0-r0             apk   CVE-2024-2398   High
curl          8.5.0-r0             apk   CVE-2024-0853   Medium
curl          8.5.0-r0             apk   CVE-2024-2004   Low
curl          8.5.0-r0             apk   CVE-2024-2466   Unknown
libcrypto3    3.1.5-r0   3.1.6-r0  apk   CVE-2024-5535   Critical
libcrypto3    3.1.5-r0   3.1.6-r0  apk   CVE-2024-4741   Unknown
libssl3       3.1.5-r0   3.1.6-r0  apk   CVE-2024-5535   Critical
libssl3       3.1.5-r0   3.1.6-r0  apk   CVE-2024-4741   Unknown
nghttp2-libs  1.58.0-r0            apk   CVE-2024-28182  Medium

Other Information

Github automated scanning cought this for me. Also docker.com lists alpine as being affected here

https://hub.docker.com/layers/library/alpine/3.20/images/sha256-dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76?context=repo&tab=vulnerabilities

Output of docker version

Output of docker info
@lbussell
Copy link
Contributor

lbussell commented Jul 5, 2024

There's no NVD score for CVE-2024-5535 yet, but given GitHub rates it as Critical, I rebuilt the Alpine images with the new OpenSSL version.

With Trivy:

PS> docker pull mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20
...
Digest: sha256:ce27c5bb26805aeeb726ae50b2f17bf58bef3818aeb9e189d2b8b7e25fcd46dc

PS> docker run --rm aquasec/trivy image mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20
...
mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20 (alpine 3.20.1)
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

You verify all the Alpine tags have been updated by checking the "last modified" column on MAR: https://mcr.microsoft.com/product/dotnet/runtime-deps/tags

@lbussell lbussell closed this as completed Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-dockerfiles bug untriaged
Projects
.NET Docker
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ChaosEngine @lbussell