spring-cloud-dataflow icon indicating copy to clipboard operation
spring-cloud-dataflow copied to clipboard

Published 20 hours ago verified publisher icon spring-cloud

Vulnerabilities in docker image

Open Craig2524 opened this issue 3 years ago • 4 comments

When trying to bring the docker image for springcloud/spring-cloud-dataflow-server:2.9.2 into our firm a scan is performed.

It detected the following vulnerabilities in the image.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37714

SCDF_SCAN.txt

Craig2524 avatar Feb 28 '22 16:02 Craig2524

@Craig2524 We are using latest build packs from https://github.com/paketo-buildpacks/java

Is there a problem with upgrading to 2.9.4?

corneil avatar Aug 04 '22 11:08 corneil

HI I am also experiencing issue bring this image in to my place of work, the recommended version has even more vulnerabilities. may I ask what product use use to scan artifacts, we use snyk

  Type:            VULNERABILITY
  Name:            CVE-2022-23221
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.. Impacted Image File(s): /workspace/BOOT-INF/lib/h2-1.4.200.jar

  Type:            VULNERABILITY
  Name:            CVE-2021-23463
  CVSS Score v3:   9.1
  Severity:        critical
  Description:     The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.. Impacted Image File(s): /workspace/BOOT-INF/lib/h2-1.4.200.jar

  Type:            VULNERABILITY
  Name:            CVE-2022-1292
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).. Impacted Image File(s):

  Type:            VULNERABILITY
  Name:            CVE-2022-22978
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. Impacted Image File(s): /workspace/BOOT-INF/lib/spring-security-core-5.5.5.jar

  Type:            VULNERABILITY
  Name:            CVE-2022-1664
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.. Impacted Image File(s):

  Type:            VULNERABILITY
  Name:            CVE-2022-2068
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).. Impacted Image File(s):

davidbuchanan avatar Aug 10 '22 15:08 davidbuchanan

Hi @corneil yeah I had the same vulnerabilities as @davidbuchanan when I tried to bring in 2.9.4. I had significantly fewer vulnerabilities with the 2.9.5-SNAPSHOT version but unfortunately I can't bring in SNAPSHOT versions into our firm.

whats the timeline for 2.9.5 getting released?

Craig2524 avatar Aug 10 '22 15:08 Craig2524

@Craig2524 The 2.9.5 release is less that a week away.

corneil avatar Aug 10 '22 16:08 corneil

We are now in a state where our releases are using the latest paketo buildpacks. We rely on that to make sure we are as up to date as possible with CVEs from the base image.

markpollack avatar Oct 10 '22 17:10 markpollack