cadence icon indicating copy to clipboard operation
cadence copied to clipboard

Published 20 hours ago verified publisher icon uber

Base Image Alpine Linux v3.11 Has Vulnerable Package ncurses

Open WToma opened this issue 3 years ago • 3 comments

Version of Cadence server, and client(which language) This is very important to root cause bugs.

  • Server version: v0.23.2
  • Client version: N/A
  • Client langauge: N/A

Describe the bug The official Docker image is built based on Alpine Linux v3.11. That image has ncurses version 6.1_p20200118-r4, which is affected by CVE-2021-39537. The issue is fixed in ncurses version 6.3_p20211120-r0, which is available in Alpine Linux v3.15. The base image should be updated to v3.15 to remove the vulnerable package.

To Reproduce Is the issue reproducible?

  • Yes

Steps to reproduce the behavior: N/A. This was found by a vulnerability scanner we use that scans for vulnerable packages.

Expected behavior ncurses should be on 6.3_p20211120-r0 or later in the Docker image.

Screenshots N/A

Additional context N/A

WToma avatar Dec 17 '21 01:12 WToma

Thanks @WToma . Would you mind opening a PR to fix this?

Seems like we just need to update the two lines in dockerfile

https://github.com/uber/cadence/blob/027bbd6c65223c7fbebee76ab52ca300d1871c85/Dockerfile#L15

longquanzheng avatar Dec 17 '21 02:12 longquanzheng

I don't think builder images are relevant here - they're used to compile some binaries (which do not have ncurses statically linked into them AFAIK), and are then entirely discarded. Only those copied binaries exist in the final docker images.

So to exploit this, someone would have to modify our dockerfiles, submit a PR that takes advantage of the exploit, get it past a cursory check (because buildkite does not run on random PRs, they need manual approval), and it would only be able to gain access to buildkite data anyway. It'd be far easier to write and run a tiny shell script in a PR, which would have exactly the same capabilities.

Groxx avatar Dec 17 '21 02:12 Groxx

I don't think builder images are relevant here

Yes, looks like the actual image used for the built image is on L41: https://github.com/uber/cadence/blob/027bbd6c65223c7fbebee76ab52ca300d1871c85/Dockerfile#L41

(The vulnerable package exists in the final docker image.)

Although I don't think there's a harm in updating both, right?

Would you mind opening a PR to fix this?

Yup, sorry, should've done that yesterday as I opened the issue :D Here it is: https://github.com/uber/cadence/pull/4689

WToma avatar Dec 17 '21 18:12 WToma