timesketch
timesketch copied to clipboard
google
Update Container Versions for the Release Docker config.env
Describe the bug
The versions listed in the config.env file of the release Docker are in most cases three years old. It would make sense to update these, especially considering that there are quite a few vulnerabilities that impact these. I don't know enough about Postgres, Redis and OpenSearch to make a qualified statement about whether updates break anything, but at the very minimum, it would make sense to bump the NGINX version, considering its ports are exposed.
To Reproduce n/a
Expected behavior n/a
Links
Desktop (please complete the following information): n/a
Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up?
Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage.
Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up?
No not that I am aware of. Took a look at the NGINX website and according to them the following items could be problems: They honestly don't sound like large enough problems to force an emergency update.
Memory corruption in the ngx_http_mp4_module
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html)
[CVE-2022-41741](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741)
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
[The patch](https://nginx.org/download/patch.2022.mp4.txt) [pgp](https://nginx.org/download/patch.2022.mp4.txt.asc)
Memory disclosure in the ngx_http_mp4_module
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html)
[CVE-2022-41742](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41742)
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
[The patch](https://nginx.org/download/patch.2022.mp4.txt) [pgp](https://nginx.org/download/patch.2022.mp4.txt.asc)
1-byte memory overwrite in resolver
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html)
[CVE-2021-23017](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017)
Not vulnerable: 1.21.0+, 1.20.1+
Vulnerable: 0.6.18-1.20.0
[The patch](https://nginx.org/download/patch.2021.resolver.txt) [pgp](https://nginx.org/download/patch.2021.resolver.txt.asc)
From a first glance at Dockerhub (this is not ~financial~ ~legal~ security advice, bla bla bla), it appears most warnings stem from Layer 6 of the Dockerfile. Some of the underlying commands used may be vulnerable, but I doubt that should lead to any problems for us.
What is more interesting to look at is the underlying Alpine base image. OpenSSL has 4 CVEs, of which only one sounded somewhat relevant to me. Apparently an infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters, so it might be possible to DoS Nginx in certain circumstances, assuming it is using the OS OpenSSL library.
https://scout.docker.com/vulnerabilities/id/CVE-2022-0778?s=alpine&n=openssl&t=alpine&osn=alpine&osv=3.13&vr=%3C1.1.1n-r0&utm_source=hub&utm_medium=ExternalLink
I would not call this mission critical, nor do I have a PoC, but it might be worth taking a look at.
Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage.
Our Timesketch setup (and by extension Nginx Config) is modified quite a bit. Not sure if we are representative of everyone, but I will try deploying an updated NGINX and report back how things are going. Might take some time, since I'm fixing some other stuff first.
Note: I have quickly tested a setup with nginx:1.25.5-alpine-slim and did not run into any issues with booting up the system and some basic activity. Needs some additional testing, but can probably moved to this version with the next release.