s2i-nodejs-container
s2i-nodejs-container copied to clipboard
sclorg
Clair scan vulnerability for ubi8/nodejs14
Using pretty basic Dockerfile
FROM registry.access.redhat.com/ubi8/nodejs-14:latest
USER root
RUN yum update -y nodejs-nodemon-2.0.3
However, Clair scan always report following error. Tried updating nodejs-nodemon package using various ways, however nothing is resolving issue. From investigation so far, it seems that "RHSA-2021:0549" and "RHSA-2021:0734" are related to nodejs12 hence tried to explicitly update nodejs12 using command RUN yum -y module update nodejs:12 however that also doesn't help. Any suggestion on how this issue can be resolved ?
2021/06/01 11:57:20 [WARN] ▶ Image [test:31may] contains 2 total vulnerabilities
2021/06/01 11:57:20 [ERRO] ▶ Image [test:31may] contains 2 unapproved vulnerabilities
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
| Unapproved | High RHSA-2021:0734 | nodejs-nodemon | 2.0.3-1.module+el8.3.0+6519+9f98ed83 | Node.js is a software development platform |
| | | | | for building fast and scalable network |
| | | | | applications in the JavaScript programming |
| | | | | language. The following packages have |
| | | | | been upgraded to a later upstream version: |
| | | | | nodejs (12.21.0). Security Fix(es): * |
| | | | | nodejs: HTTP2 'unknownProtocol' cause DoS |
| | | | | by resource exhaustion (CVE-2021-22883) |
| | | | | * nodejs: DNS rebinding in --inspect |
| | | | | (CVE-2021-22884) For more details about the |
| | | | | security issue(s), including the impact, |
| | | | | a CVSS score, acknowledgments, and other |
| | | | | related information, refer to the CVE |
| | | | | page(s) listed in the References section. |
| | | | | https://access.redhat.com/errata/RHSA-2021:0734 |
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
| Unapproved | Medium RHSA-2021:0549 | nodejs-nodemon | 2.0.3-1.module+el8.3.0+6519+9f98ed83 | Node.js is a software development platform for |
| | | | | building fast and scalable network applications |
| | | | | in the JavaScript programming language. The |
| | | | | following packages have been upgraded to a |
| | | | | later upstream version: nodejs (12.20.1), |
| | | | | nodejs-nodemon (2.0.3). Security Fix(es): |
| | | | | * nodejs-mixin-deep: prototype pollution |
| | | | | in function mixin-deep (CVE-2019-10746) |
| | | | | * nodejs-set-value: prototype pollution |
| | | | | in function set-value (CVE-2019-10747) * |
| | | | | nodejs-npm-user-validate: improper input |
| | | | | validation when validating user emails |
| | | | | leads to ReDoS (CVE-2020-7754) * nodejs-ini: |
| | | | | prototype pollution via malicious INI file |
| | | | | (CVE-2020-7788) * nodejs: use-after-free |
| | | | | in the TLS implementation (CVE-2020-8265) |
| | | | | * nodejs: HTTP request smuggling via two |
| | | | | copies of a header field in an http request |
| | | | | (CVE-2020-8287) For more details about the |
| | | | | security issue(s), including the impact, |
| | | | | a CVSS score, acknowledgments, and other |
| | | | | related information, refer to the CVE |
| | | | | page(s) listed in the References section. |
| | | | | https://access.redhat.com/errata/RHSA-2021:0549 |
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
{
"image": "test:31may",
"unapproved": [
"RHSA-2021:0549",
"RHSA-2021:0734"
],
"vulnerabilities": [
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.3.0+6519+9f98ed83",
"vulnerability": "RHSA-2021:0734",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.21.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:0734",
"severity": "High",
"fixedby": "0:2.0.3-1.module+el8.3.0+9715+1718613f"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.3.0+6519+9f98ed83",
"vulnerability": "RHSA-2021:0549",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3). Security Fix(es): * nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746) * nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747) * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:0549",
"severity": "Medium",
"fixedby": "0:2.0.3-1.module+el8.3.0+9715+1718613f"
}
]
}%
