docker-nginx icon indicating copy to clipboard operation
docker-nginx copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

CVE-2022-37434

Open istvandesign opened this issue 3 years ago • 2 comments

Hello everyone, nginx-1.23.1-alpine has the https://nvd.nist.gov/vuln/detail/CVE-2022-37434 vulnerability, which is critical.

istvandesign avatar Aug 15 '22 15:08 istvandesign

The Alpine base images were specifically updated for CVE-2022-37434 (https://github.com/docker-library/official-images/pull/12929) and all dependent images were rebuilt (that's how the Docker official images program works).

The current image has the latest zlib available for the specific Alpine release (https://security.alpinelinux.org/vuln/CVE-2022-37434):

$ docker run -it --rm nginx:1.23.1-alpine sh
Unable to find image 'nginx:1.23.1-alpine' locally
1.23.1-alpine: Pulling from library/nginx
213ec9aee27d: Pull complete 
2546ae67167b: Pull complete 
23b845224e13: Pull complete 
9bd5732789a3: Pull complete 
328309e59ded: Pull complete 
b231d02e5150: Pull complete 
Digest: sha256:082f8c10bd47b6acc8ef15ae61ae45dd8fde0e9f389a8b5cb23c37408642bf5d
Status: Downloaded newer image for nginx:1.23.1-alpine
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.16.2
PRETTY_NAME="Alpine Linux v3.16"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
v3.16.2-31-gfe918834c6 [https://dl-cdn.alpinelinux.org/alpine/v3.16/main]
v3.16.2-35-g8b5106c6a8 [https://dl-cdn.alpinelinux.org/alpine/v3.16/community]
OK: 17029 distinct packages available
/ # apk info zlib
zlib-1.2.12-r3 description:
A compression/decompression Library

zlib-1.2.12-r3 webpage:
https://zlib.net/

zlib-1.2.12-r3 installed size:
108 KiB

/ # apk upgrade
OK: 26 MiB in 42 packages
/ #

yosifkit avatar Aug 16 '22 18:08 yosifkit

Thank you for answering. After investigating a little bit I discovered that the updated image is not versioned appropriately. The same version will be released multiple times with different base images.

I had to just pull the same docker image version again and it is indeed fixed.

istvandesign avatar Aug 16 '22 19:08 istvandesign

The issue is fixed.

thresheek avatar Sep 07 '22 14:09 thresheek