containers
containers copied to clipboard
bitnami
[bitnami/wordpress] opencontainers runc upgrade
Name and Version
bitnami/wordpress:6.0.2-debian-11-r8
What is the problem this feature will solve?
We are getting vulnerability reports when scanning images built with this image for opencontainers/runc. The specific details are:
Security update has been released for github.com/opencontainers/runc to fix the vulnerability.
The patch for this is d72d057ba794164c3cce9451a00b72a78b25e1ae and runc 1.0.3 was released with this bug fixed.Workaround: To the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
Patch: Following are links for downloading patches to fix the vulnerabilities: https://github.com/advisories/GHSA-v95c-p5hm-xq8f
What is the feature you are proposing to solve the problem?
I believe this would be foundational to all images - not just the wordpress one I am using.
What alternatives have you considered?
None.
Hi,
Thank you so much for creating the issue. There is something that I don't fully understand. If the issue is in runc itself, then updating runc should fix the issue, right? It's more about the engine that runs the container that the container itself, is that correct?
In general that is correct. But, this vulnerability is seen when the image itself is scanned - not when it is running in a container. I hoped someone on this team would know how that may be possible. I also ran the image using docker and logged into the container to try and find a runc binary but couldn't locate it on the container. So, I wasn't sure how the scan was picking it up.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
It is the Azure Cloud Defender service that scans our container registries where we deploy our images based on this image.
Hey @tsands2!
CVE-2021-43784 comes from gosu, which we use here: https://github.com/bitnami/containers/blob/977aa64162790fe57d2ad929c2a1d14ccbcbb94d/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh#L471-L473 The severity of the vulnerability is medium and gosu hasn't released a new version fixing it. It is one of the packages that we automatically track, so once there is a new version, we will use it: https://github.com/bitnami/containers/blob/977aa64162790fe57d2ad929c2a1d14ccbcbb94d/bitnami/wordpress/6/debian-11/Dockerfile#L31
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.
Aqua Scanner and Trivy(cli tool) both from aquasec.com flag runc as vulnerable. This occurs with any image using runc with version v1.0.1 (CVE-2022-29162). Should be fixed with runc v1.1.2 (https://avd.aquasec.com/nvd/cve-2022-29162)
More details here: https://nvd.nist.gov/vuln/detail/CVE-2022-29162
@tsands2 Could you add the CVE identifier to the issue description? This is the CVE-2022-29162 https://nvd.nist.gov/vuln/detail/CVE-2022-29162
Hi, we are glad to announce that we got rid of gosu in all Bitnami container images, so the false positives previously reported by some CVE scanners will not appear anymore:
$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22
bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/common/bin/gosu (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH │ v1.1.0 │ v1.1.2 │ runc: incorrect handling of inheritable capabilities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29162 │
│ ├────────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-27561 │ │ │ v1.1.5 │ runc: volume mount race condition (regression of │
│ │ │ │ │ │ CVE-2019-19921) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │
│ ├────────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2022-24769 │ MEDIUM │ │ v1.1.2 │ moby: Default inheritable capabilities for linux container │
│ │ │ │ │ │ should be empty │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24769 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
VS
$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23
bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
From now on, gosu functionalities were replaced by chroot. In this PR you can find an example of this implementation.
