security vulnerabilities in cloud SDK 387.0.0

[rvillane]

Hi, we use the google/cloud-sdk base image to execute multiple k8s cronjobs in GKE and our container scanning process started detecting the following Critical and High severity vulnerabilities across multiple binaries in the base image:

1. https://nvd.nist.gov/vuln/detail/CVE-2022-23806
2. https://nvd.nist.gov/vuln/detail/CVE-2020-7471
3. https://nvd.nist.gov/vuln/detail/CVE-2022-24675
4. https://nvd.nist.gov/vuln/detail/CVE-2022-28327
5. https://nvd.nist.gov/vuln/detail/CVE-2015-8549
6. https://nvd.nist.gov/vuln/detail/CVE-2016-10745
7. https://nvd.nist.gov/vuln/detail/CVE-2019-109068.

The base image we use is either:

• FROM google/cloud-sdk:slim
• FROM google/cloud-sdk:latest

As a workaround, we are uninstalling some of the gcloud components pre-installed in the base image

   RUN apt-get autoremove -y google-cloud-sdk-app-engine-go google-cloud-sdk-cbt \
    google-cloud-sdk-bigtable-emulator google-cloud-sdk-datalab google-cloud-sdk-datastore-emulator \
      google-cloud-sdk-firestore-emulator google-cloud-sdk-pubsub-emulator google-cloud-sdk-spanner-emulator \ 
      google-cloud-sdk-local-extract google-cloud-sdk-app-engine-java google-cloud-sdk-app-engine-python \
      google-cloud-sdk-app-engine-python-extras google-cloud-sdk-kpt

cloud-sdk base image users will benefit from fixing the vulnerabilities described above

thanks

[s4shyam95]

Hi there, Seems like many of these are from the base image. Could you however send a detailed report, with files that triggered the CVE. Also noticed that some of you links seem incorrect. Could you please correct them in the detailed report?

We also have https://github.com/GoogleCloudPlatform/cloud-sdk-docker/pull/276/ in the motion which should hopefully resolve some of these.

[rvillane]

Hi @s4shyam95 , I don't have an easy way to export a detailed report but I will provide all the detail I can. Glad to see #276 , I agree it should fix many issues from the base image:

https://nvd.nist.gov/vuln/detail/CVE-2022-23806:

• /usr/bin/kubectl -> go version 1.17.6 has 6 vulnerabilities
• /usr/local/bin/docker -> go version 1.16.12 has 7 vulnerabilities
• /usr/lib/google-cloud-sdk/bin/kpt -> go version 1.16.13 has 7 vulnerabilities
• /usr/lib/google-cloud-sdk/bin/cloud_spanner_emulator/gateway_main -> go version 1.15.7 has 19 vulnerabilities
• /usr/bin/kubectl -> go version 1.17.9 has 11 vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2020-7471:

• /usr/bin/kubectl -> go version 1.17.7 has 3 vulnerabilities
• django -> django version 1.11.9 has 16 vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2022-24675

• /usr/lib/google-cloud-sdk/platform/google_appengine/go-app-stager -> go version 1.18-pre8 cl/413676165 +d34051bf16 X:fieldtrack has 2 vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2022-28327

• /usr/bin/kubectl -> go version 1.17.7 has 3 vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2015-8549

• pyamf -> pyamf version 0.6.1 has 1 vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2016-10745

• jinja2 -> jinja2 version 2.6 has 4 vulnerabilities

[rvillane]

Hi, I just tried the cloud-sdk base image installing the gke-gcloud-auth-plugin plugin as indicated in https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke, however that binary /usr/lib/google-cloud-sdk/bin/gke-gcloud-auth-plugin is compiled with go version 1.17.5b7 that has 6 vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2022-23806 https://nvd.nist.gov/vuln/detail/CVE-2022-24675 https://nvd.nist.gov/vuln/detail/CVE-2022-28327 https://nvd.nist.gov/vuln/detail/CVE-2022-24921 https://nvd.nist.gov/vuln/detail/CVE-2022-23772 https://nvd.nist.gov/vuln/detail/CVE-2022-23773

[Algieba4]

I'm having the same issue using the latest version published a day ago (398.0.0-alpine)

[cloudsdkdocker]

For the CVEs which have specified the explicit directories on the image where they are found, bugs have been filed internally with the teams that own the relevant components. For other issues, please follow the instructions described at the bottom of the README for filing bugs to GCP, and please be sure to specify the exact location on the image where the CVEs are located.