distroless icon indicating copy to clipboard operation
distroless copied to clipboard
verified publisher icon GoogleContainerTools

Two extra low vulnerabilities detected in latest node.js 22.x distroless image

Open claudiu-muresan-pfa opened this issue 10 months ago • 4 comments

In our project, we have set up dependabot to check on every Monday if there are new node.js distroless images. We also do a trivy scan to compare the old vs. new distroless image to check what's been changed.

The PR that got created in our repo proposes following change:

Old image

FROM gcr.io/distroless/nodejs22-debian12:latest-amd64@sha256:23637ce9bd386f5883df054ed415a8240bac1df6fd3aa500686cc3a86e0b60e1

New image

FROM gcr.io/distroless/nodejs22-debian12:latest-amd64@sha256:ba670ace564d2ff780881509904d3ee4c8fbf3e587bed6a395377b7e56bfcf4a

The trivy scan shows that two extra low vulnerabilities are being added in the new image:

gcr.io/distroless/nodejs20-debian12:latest-amd64@sha256:e6af6f286378e821988bf381dbbf5b463d23153cad0168536a0859f778b2f36b (debian 12.9)
======================================================================================================================================
Total: 15 (UNKNOWN: 0, LOW: 13, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

vs.

gcr.io/distroless/nodejs18-debian12:latest-amd64@sha256:bab496af0bb9da3767ed6e920ff5262d7da17c473db090f5337be759e3767a4f (debian 12.9)
======================================================================================================================================
Total: 17 (UNKNOWN: 0, LOW: 15, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

I haven't identified the two extra low vulnerabilities, but we've seen that the vulnerabilities are present in all the distroless images that we currently use, for example node.js 18.x, node 20.x, java 17.x ...

claudiu-muresan-pfa avatar Feb 18 '25 07:02 claudiu-muresan-pfa

The two new low security alerts are related to gcc-12-base:

│ gcc-12-base │ CVE-2022-27943   │ LOW      │ affected │ 12.2.0-14         │               │ binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows  │
│             │                  │          │          │                   │               │ stack exhaustion in demangle_const                          │
│             │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-27943                  │
│             ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2023-4039    │          │          │                   │               │ gcc: -fstack-protector fails to guard dynamic stack         │
│             │                  │          │          │                   │               │ allocations on ARM64                                        │
│             │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4039                   │

claudiu-muresan-pfa avatar Feb 20 '25 12:02 claudiu-muresan-pfa

Yeah we need gcc base to satisfy some license requirements, but maybe that's all we need from there. Perhaps I can apply a filter on that.

loosebazooka avatar Feb 20 '25 18:02 loosebazooka

We are using the gcr.io/distroless/nodejs22-debian12 distroless image in Blackduck, and we are encountering the following critical, high, and medium issues. Could you please suggest how we can resolve them?

  • CVE-2023-0687: GNU C Library - 2.36
  • BDSA-2024-7353: OpenSSL
  • CVE-2023-4039: GNU Compiler Collection - 12.2.0

Thank you in advance !!

nivGandhi avatar Feb 27 '25 12:02 nivGandhi

@nivGandhi please read SECURITY.md

Also please be aware that adding unrelated information to an existing issue is unhelpful for tracking. Once you have read the documentation and expectations of distroless, considering opening a new issue.

loosebazooka avatar Feb 27 '25 13:02 loosebazooka