docker-images icon indicating copy to clipboard operation
docker-images copied to clipboard

Published 20 hours ago verified publisher icon oracle

vulnerabilities found in oraclelinux:7-slim and oracle db image

Open itroll42 opened this issue 3 years ago • 3 comments

The oraclelinux:7-slim base image (pulled today 06/06/2022) is scanning and showing 45 vulnerabilities in a harbor scan (all show as fixable). Once the 19.3.0 db is built from this base, that image is scanning and showing 92 vulnerabilities in a harbor scan (all show fixable as well).

All the vulnerabilities show the are fixable via ksplice updates. I saw in another post these images do not use ksplice, so not sure how to proceed.

Are all of these false positives? or is there a way to fix these? Just doing a yum update during the image build does not pull down newer versions and results in the same 92 vulnerabilities listed.

All are related to various glibc, and openssl libraries.

itroll42 avatar Jun 06 '22 16:06 itroll42

oraclelinux images are rebuild each time Security Erratas are published. There might be a day or two delay from the build process, but this is closely monitored. I checked the images this morning and they are up-to-date.

If you find 45 vulnerabilities in a fresh image, these are definitely false positives. Most of the time, it is because scanners are checking against tool version, and in Enterprise Distributions, security fixes are backported to the original version to ensure stability and consistency during the lifecycle of the distribution. You can verify that a package contains security fixes with rpm -q --changelog <package name>

AmedeeBulle avatar Jun 06 '22 17:06 AmedeeBulle

the image was pulled today so it was as fresh as could be.

the 45 vulnerabilities was from a harbor scan, but our anchore scan of the same image only shows 5. So it seems anchore is better at dealing with the false positives.

itroll42 avatar Jun 06 '22 17:06 itroll42

This is a good way to check for any available security updates:

$ docker run --pull always --rm -it oraclelinux:7-slim yum --security updateinfo
7-slim: Pulling from library/oraclelinux
Digest: sha256:01146bd74c06a6bdbd55e9da959de40941476b32c9c04e9fd3fbb34ee16674f4
Status: Image is up to date for oraclelinux:7-slim
Loaded plugins: ovl
ol7_latest                                                                                                                                                                                                                              | 3.6 kB  00:00:00
(1/3): ol7_latest/x86_64/group_gz                                                                                                                                                                                                       | 136 kB  00:00:00
(2/3): ol7_latest/x86_64/updateinfo                                                                                                                                                                                                     | 3.4 MB  00:00:00
(3/3): ol7_latest/x86_64/primary_db                                                                                                                                                                                                     |  40 MB  00:00:00
updateinfo summary done

Which shows there are no available security updates for the image.

The Docker official library FAQ explains why CVE scanners report false positives: https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

Djelibeybi avatar Jun 06 '22 23:06 Djelibeybi