busybox v1.34.1: CVE-2022-28391

[cbl315]

What did you do?
Scan image and find CVE:
CVE-2022-28391

What did you expect to see?
Upgrade busybox to v1.35

• Alertmanager version:
  image: quay.io/prometheus/alertmanager:v0.24.0

[tooptoop4]

i am facing same issue (Installed Resource: busybox 1.34.1), do u have workaround?

[simonpasquier]

Alertmanager doesn't use the netstat program so the CVE doesn't really apply. However the next release of Alertmanager will use a patched busybox image.

[liam-verta]

@simonpasquier When will the next release be? 0.24.0 was quite a few months ago.

[simonpasquier]

the first release candidate of v0.25.0 is in the works: #3176

[liam-verta]

Where is it patching busybox?

[simonpasquier]

sorry I replied too fast, this isn't fixed in the official busybox image and not even in busybox: docker-library/busybox#133

[liam-verta]

It is fixed in the Alpine build of busybox.
https://security.alpinelinux.org/vuln/CVE-2022-28391

I've got a PR open to create a base image the uses Alpine's busybox, but it has been dragging.

prometheus/busybox#51

[TheMeier]

This is outdated