opal
opal copied to clipboard
permitio
Base image vulnerabilities
Hi Team,
Our scanning tools ( blackduck ) are reporting base image vulnerabilities for the OPAL version 7.2.2 (we found 7 critical and 7 high ), these issues are not related to OPAL source code. Please address these issue as soon as possible to make OPAL as vulnerability free.
Example : debian: libzstd1/1.4.8+dfsg-2.1/amd64 - BDSA-2019-5223 Zstandard command-line utility is vulnerable to information disclosure via improper default permissions on output files. Correct file permissions are only set at completion time which could allow a local attacker to read or write to a file during compression or decompression.
Note: The initial fix for this vulnerability was incomplete and a further fix was required. This was disclosed as CVE-2021-24032(BDSA-2021-2294).
Bash5.1
debian: bash/5.1-2+deb11u1/amd64
Vulnerabilities 1
Berkeley DB5.3.28
debian: libdb5.3/5.3.28+dfsg1-0.8/amd64
Vulnerabilities 19224
GNU C Library2.31
debian: libc6/2.31-1/amd64
Vulnerabilities36102
GNU C Library2.31
debian: libc6/2.31-13+deb11u7/amd64
Vulnerabilities 482
GNU C Library2.31
debian: libc-bin/2.31-13+deb11u7/amd64
Vulnerabilities 482
GNU tar1.34
debian: tar/1.34+dfsg-1/amd64
Vulnerabilities 1
GnuPG2.2.27
debian: gpgv/2.2.27-2+deb11u2/amd64
Vulnerabilities1 1
GnuTLS3.7.1
debian: libgnutls30/3.7.1-5+deb11u3/amd64
Vulnerabilities 2
Libtasn14.16.0
debian: libtasn1-6/4.16.0-2+deb11u1/amd64
Vulnerabilities
Linux-Pamv1.4.0
debian: libpam-runtime/1.4.0-9+deb11u1/all
Vulnerabilities1
Linux-Pamv1.4.0
debian: libpam0g/1.4.0-9+deb11u1/amd64
Vulnerabilities1
Linux-Pamv1.4.0
debian: libpam-modules-bin/1.4.0-9+deb11u1/amd64
Vulnerabilities1
Linux-Pamv1.4.0
debian: libpam-modules/1.4.0-9+deb11u1/amd64
Vulnerabilities1
PCRE8.39
debian: libpcre3/2:8.39-13/amd64
Vulnerabilities 121
PCRE210.36
debian: libpcre2-8-0/10.36-2+deb11u1/amd64
Vulnerabilities 1
Procpsv3.3.17
opensuse: procps-lang/3.3.17-5.1/noarch
Vulnerabilities 1
Procpsv3.3.17
debian: libprocps-dev/2:3.3.17-5/arm64
Vulnerabilities 1
Procpsv3.3.17
opensuse: procps-devel/3.3.17-14.2/i586
Vulnerabilities 1
Procpsv3.3.17
debian: procps/2:3.3.17-5/amd64
Vulnerabilities 1
Procpsv3.3.17
rocky: procps-ng-i18n/3.3.17-5.el9_0/noarch
Vulnerabilities 1
Procpsv3.3.17
opensuse: procps/3.3.17-5.2/x86_64
Vulnerabilities 1
Shadow Tool Suite4.8.1
debian: passwd/1:4.8.1-1/amd64
Vulnerabilities 2
Shadow Tool Suite4.8.1
debian: login/1:4.8.1-1/amd64
Vulnerabilities 2
XZ Utils5.2.5
debian: liblzma5/5.2.5-2.1~deb11u1/amd64
Vulnerabilities 11
e2fsprogs1.46.2
debian: libcom-err2/1.46.2-2/amd64
Vulnerabilities 1
gzip1.10
debian: gzip/1.10-4+deb11u1/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libk5crypto3/1.18.3-6+deb11u4/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libkrb5support0/1.18.3-6+deb11u4/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libkrb5-3/1.18.3-6+deb11u4/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libgssapi-krb5-2/1.18.3-6+deb11u4/amd64
Vulnerabilities
libgcrypt1.8.7
debian: libgcrypt20/1.8.7-6/amd64
Vulnerabilities 1
libtirpc1.3.1
debian: libtirpc3/1.3.1-1+deb11u1/amd64
Vulnerabilities
libtirpc1.3.1
debian: libtirpc-common/1.3.1-1+deb11u1/all
Vulnerabilities
lz4v1.9.3
debian: liblz4-1/1.9.3-2/amd64
Vulnerabilities
systemd247.3
debian: libudev1/247.3-7+deb11u4/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libblkid1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: util-linux/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libmount1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: mount/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libuuid1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libsmartcols1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
zlib1.2.11
debian: zlib1g/1:1.2.11.dfsg-2+deb11u2/amd64
Vulnerabilities1
zstd1.4.8
debian: libzstd1/1.4.8+dfsg-2.1/amd64
Vulnerabilities 2
Hi @rgidda, thanks for reporting! Do you know if your tool takes into consideration only the base image or the other attributes of the image? For example, if the base image has a package with vulnerability but we uninstall it in the next step, will it be able to detect it? Another question is whether this tool is free to use if we want to check it ourselves?
And last one, do you have a recommended base image that you use, it would be great if you want to help us with this and contribute to Open Source 🥇
Hi @obsd , We are using blackduck enterprise edition , it will scan all attributes of the image including base images. Please upgrade you base images to latest versions and replace/update the packages which got critical vulnerabilities.
You can use below scanning tool locally. https://github.com/aquasecurity/trivy
Hi @rgidda, thanks for the details and the link :) Just opened a ticket on this (PER-8300), we will let you know once we get to it. Let us know if it is blocking you or if you want to help solve this issue, we will be glad to help.
hi @obsd
I have made an attempt at this. All debian vulnerabilities are resolved in these changes, however there seems to be an issue with OPA running. In this commit there are docker compose logs to see this sort of log running every couple of seconds:
opal_client.engine.runner [0m|[1m INFO | Running policy engine inline: opa run --server --addr=:8181 --authentication=off --authorization=off --log-level=info[0m opal_client.engine.runner [0m|[1m INFO | Running policy engine rehydration callbacks[0m
https://github.com/devine12/opal/commit/f1cbc2b61b0825e9c525a04a4277b65a0be80821
any advice on how to debug?
Hi @devine12 Thanks for sharing it with us. I think that what happens is that our watchdog can't identify OPA running so it tries to run it again. Can you set the log level to debug it may help us understand this better, anyway, I will ask someone from the team to take a look.
Hi @devine12 , there can be many reasons why OPA restarts in alpine linux.
We did use alpine before for OPAL and moved away towards the official python docker image due to build-time issues, stability issues and DNS issues.
It does look like they finally fixed it in alpine 3.18 - we'll have to check.
@obsd for now i suggest sticking with the least vulnerable official python base image and patch it accordingly until we can field-test alpine stability.
Hi @asafc and @obsd, thanks for the reply -
The restarting was fixed by switching asyncio.wait -> asyncio.gather in the opa engine
see https://github.com/permitio/opal/pull/534/commits/68f1e6a2d9c02aa3c203911cce3ee8b1c73b4842
Due to the security gates set in our ci pipelines - we cannot have any critical vuln >9 cvss.
Cool @devine12, is it working now with the new image? If you can test it we will be glad to get this code contribution from you Also, have someone from Permit that will guide you on how to make it ready to merge into the main project
Hi @obsd -
Yes it is working now.
For local test I made separate branch (https://github.com/devine12/opal/commit/17e0518cf1489a0eb9b86f249a9b5ff912ba5fc6) with:
- docker-compose-alpine-test.yml to run with locally built images
- Script to build client and server alpine images locally then spin up docker-compose-alpine-test with these images
- Logs of the above script running
I have raised PR (https://github.com/permitio/opal/pull/534/files) and reached out in slack - any other guidance on how to move forward
Hi @devine12 , thank you very much, your PR is much appreciated! I will talk with this feature owner and ask him to review this in his next OSS window, once we merge it I will let you know. Can you send me a private message in our community Slack (It's Oded BD) so I can update you there?