Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update distroless base images #12061

Merged
merged 2 commits into from
Feb 28, 2023
Merged

Update distroless base images #12061

merged 2 commits into from
Feb 28, 2023

Conversation

prestonvanloon
Copy link
Member

What type of PR is this?

Other

What does this PR do? Why is it needed?

Updates the base images to solve some HIGH and MEDIUM level CVE reports

CVEs -- Before


gcr.io/prysmaticlabs/prysm/beacon-chain:latest (debian 11.5)
============================================================
Total: 21 (UNKNOWN: 0, LOW: 11, MEDIUM: 4, HIGH: 6, CRITICAL: 0)

┌───────────┬──────────────────┬──────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │  Vulnerability   │ Severity │ Installed Version │  Fixed Version   │                            Title                            │
├───────────┼──────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2010-4756    │ LOW      │ 2.31-13+deb11u5   │                  │ glibc: glob implementation can cause excessive CPU and      │
│           │                  │          │                   │                  │ memory consumption due to...                                │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2010-4756                   │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2018-20796   │          │                   │                  │ glibc: uncontrolled recursion in function                   │
│           │                  │          │                   │                  │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2018-20796                  │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010022 │          │                   │                  │ glibc: stack guard protection bypass                        │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010022                │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010023 │          │                   │                  │ glibc: running ldd on malicious ELF leads to code execution │
│           │                  │          │                   │                  │ because of...                                               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010023                │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010024 │          │                   │                  │ glibc: ASLR bypass using cache of thread stack and heap     │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010024                │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010025 │          │                   │                  │ glibc: information disclosure of heap addresses of          │
│           │                  │          │                   │                  │ pthread_created thread                                      │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-1010025                │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-9192    │          │                   │                  │ glibc: uncontrolled recursion in function                   │
│           │                  │          │                   │                  │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-9192                   │
├───────────┼──────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-4450    │ HIGH     │ 1.1.1n-0+deb11u3  │ 1.1.1n-0+deb11u4 │ The function PEM_read_bio_ex() reads a PEM file from a BIO  │
│           │                  │          │                   │                  │ and parses...                                               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4450                   │
│           ├──────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0215    │          │                   │                  │ The public API function BIO_new_NDEF is a helper function   │
│           │                  │          │                   │                  │ used for str...                                             │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0215                   │
│           ├──────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0286    │          │                   │                  │ There is a type confusion vulnerability relating to X.400   │
│           │                  │          │                   │                  │ address proc ......                                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0286                   │
│           ├──────────────────┼──────────┤                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2022-2097    │ MEDIUM   │                   │                  │ openssl: AES OCB fails to encrypt some bytes                │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
│           ├──────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2022-4304    │          │                   │                  │ A timing based side channel exists in the OpenSSL RSA       │
│           │                  │          │                   │                  │ Decryption imple...                                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4304                   │
│           ├──────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2007-6755    │ LOW      │                   │                  │ Dual_EC_DRBG: weak pseudo random number generator           │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2007-6755                   │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2010-0928    │          │                   │                  │ openssl: RSA authentication weakness                        │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2010-0928                   │
├───────────┼──────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ openssl   │ CVE-2022-4450    │ HIGH     │                   │ 1.1.1n-0+deb11u4 │ The function PEM_read_bio_ex() reads a PEM file from a BIO  │
│           │                  │          │                   │                  │ and parses...                                               │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4450                   │
│           ├──────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0215    │          │                   │                  │ The public API function BIO_new_NDEF is a helper function   │
│           │                  │          │                   │                  │ used for str...                                             │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0215                   │
│           ├──────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2023-0286    │          │                   │                  │ There is a type confusion vulnerability relating to X.400   │
│           │                  │          │                   │                  │ address proc ......                                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0286                   │
│           ├──────────────────┼──────────┤                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2022-2097    │ MEDIUM   │                   │                  │ openssl: AES OCB fails to encrypt some bytes                │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
│           ├──────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2022-4304    │          │                   │                  │ A timing based side channel exists in the OpenSSL RSA       │
│           │                  │          │                   │                  │ Decryption imple...                                         │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-4304                   │
│           ├──────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2007-6755    │ LOW      │                   │                  │ Dual_EC_DRBG: weak pseudo random number generator           │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2007-6755                   │
│           ├──────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2010-0928    │          │                   │                  │ openssl: RSA authentication weakness                        │
│           │                  │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2010-0928                   │
└───────────┴──────────────────┴──────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘

CVEs -- After


bazel/cmd/beacon-chain:image (debian 11.6)
==========================================
Total: 11 (UNKNOWN: 0, LOW: 11, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────┬──────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │  Vulnerability   │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────┼──────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2010-4756    │ LOW      │ 2.31-13+deb11u5   │               │ glibc: glob implementation can cause excessive CPU and      │
│           │                  │          │                   │               │ memory consumption due to...                                │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2010-4756                   │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2018-20796   │          │                   │               │ glibc: uncontrolled recursion in function                   │
│           │                  │          │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20796                  │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010022 │          │                   │               │ glibc: stack guard protection bypass                        │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010022                │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010023 │          │                   │               │ glibc: running ldd on malicious ELF leads to code execution │
│           │                  │          │                   │               │ because of...                                               │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010023                │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010024 │          │                   │               │ glibc: ASLR bypass using cache of thread stack and heap     │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010024                │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-1010025 │          │                   │               │ glibc: information disclosure of heap addresses of          │
│           │                  │          │                   │               │ pthread_created thread                                      │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010025                │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2019-9192    │          │                   │               │ glibc: uncontrolled recursion in function                   │
│           │                  │          │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-9192                   │
├───────────┼──────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2007-6755    │          │ 1.1.1n-0+deb11u4  │               │ Dual_EC_DRBG: weak pseudo random number generator           │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2007-6755                   │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2010-0928    │          │                   │               │ openssl: RSA authentication weakness                        │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2010-0928                   │
├───────────┼──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl   │ CVE-2007-6755    │          │                   │               │ Dual_EC_DRBG: weak pseudo random number generator           │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2007-6755                   │
│           ├──────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2010-0928    │          │                   │               │ openssl: RSA authentication weakness                        │
│           │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2010-0928                   │
└───────────┴──────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Which issues(s) does this PR fix?

Fixes #9674

Other notes for review

@prestonvanloon prestonvanloon added CI Continuous integration related items OK to merge labels Feb 28, 2023
@prestonvanloon prestonvanloon requested a review from a team as a code owner February 28, 2023 19:46
prestonvanloon
prestonvanloon commented Feb 28, 2023
View reviewed changes
WORKSPACE
@@ -121,32 +121,36 @@ load(
"container_pull",
)

# Pulled gcr.io/distroless/cc-debian11:latest on 2022-02-23
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewers: I know today's date is Feb 28, but these images were created on the 23rd so that is why i referenced it this way.

@prylabs-bulldozer prylabs-bulldozer bot merged commit 91fee5d into develop Feb 28, 2023
@delete-merged-branch delete-merged-branch bot deleted the update-docker-base branch February 28, 2023 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nisdas nisdas nisdas approved these changes

@kasey kasey Awaiting requested review from kasey kasey is a code owner automatically assigned from prysmaticlabs/core-team

@rauljordan rauljordan Awaiting requested review from rauljordan rauljordan is a code owner automatically assigned from prysmaticlabs/core-team

@terencechain terencechain Awaiting requested review from terencechain terencechain is a code owner automatically assigned from prysmaticlabs/core-team

Assignees
No one assigned
Labels
CI Continuous integration related items
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE's found in prysm
2 participants
@prestonvanloon @nisdas