alertmanager icon indicating copy to clipboard operation
alertmanager copied to clipboard

Published 20 hours ago verified publisher icon prometheus

busybox v1.34.1: CVE-2022-28391

Open cbl315 opened this issue 3 years ago • 1 comments

What did you do? Scan image and find CVE: CVE-2022-28391

What did you expect to see? Upgrade busybox to v1.35

  • Alertmanager version: image: quay.io/prometheus/alertmanager:v0.24.0

cbl315 avatar Jul 06 '22 02:07 cbl315

i am facing same issue (Installed Resource: busybox 1.34.1), do u have workaround?

tooptoop4 avatar Jul 13 '22 06:07 tooptoop4

Alertmanager doesn't use the netstat program so the CVE doesn't really apply. However the next release of Alertmanager will use a patched busybox image.

simonpasquier avatar Sep 23 '22 15:09 simonpasquier

@simonpasquier When will the next release be? 0.24.0 was quite a few months ago.

liam-verta avatar Dec 15 '22 17:12 liam-verta

the first release candidate of v0.25.0 is in the works: #3176

simonpasquier avatar Dec 16 '22 09:12 simonpasquier

Where is it patching busybox?

liam-verta avatar Dec 16 '22 19:12 liam-verta

sorry I replied too fast, this isn't fixed in the official busybox image and not even in busybox: https://github.com/docker-library/busybox/issues/133

simonpasquier avatar Dec 19 '22 08:12 simonpasquier

It is fixed in the Alpine build of busybox. https://security.alpinelinux.org/vuln/CVE-2022-28391

I've got a PR open to create a base image the uses Alpine's busybox, but it has been dragging.

https://github.com/prometheus/busybox/pull/51

liam-verta avatar Dec 19 '22 22:12 liam-verta