Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The redis:7.0.4-alpine image has a High saverity vulnerabilities. #324

Closed
bighb69738 opened this issue Jul 22, 2022 · 3 comments
Closed

The redis:7.0.4-alpine image has a High saverity vulnerabilities. #324

bighb69738 opened this issue Jul 22, 2022 · 3 comments

Comments

@bighb69738
Copy link

bighb69738 commented Jul 22, 2022
edited
Loading

Hi all:
I tried to use the latest image redis:7.0.4-alpine.
But there is a High saverity vulnerabilities when the image was scaned.

These High saverity vulnerabilities:

Library:busybox-1.35.0-r15.apk
Vulnerability id : CVE-2022-3006, CVE-2022-28931

How to fix it?
@wglambert
Copy link

7.0.4 was recently added 4 days ago, it's fully up to date with the latest packages from the apk repos

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28931 is still reserved

image
Four results with no informational links. What scanner are you using?

$ docker run -it --rm redis:7.0.4-alpine ash
Unable to find image 'redis:7.0.4-alpine' locally
7.0.4-alpine: Pulling from library/redis
530afca65e2e: Already exists
c550a3118f41: Pull complete
9b28aced8b95: Pull complete
ee366e72c8f0: Pull complete
4dc43047334c: Pull complete
940560b1b15a: Pull complete
Digest: sha256:f23b1e963e2122ce4de6c40ffd105b60ccfa62bf0134585d3109f5caf691b5b3
Status: Downloaded newer image for redis:7.0.4-alpine
/data # apk update && apk -u list && apk upgrade --simulate
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
v3.16.1-5-ge692d8f074 [https://dl-cdn.alpinelinux.org/alpine/v3.16/main]
v3.16.1-20-g112d29a88c [https://dl-cdn.alpinelinux.org/alpine/v3.16/community]
OK: 17026 distinct packages available
OK: 9 MiB in 17 packages

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@bighb69738
Copy link
Author

@wglambert
Sorry, the correct CVE id is CVE-2022-30065 and CVE-2022-28391.
I used Whitesource to scan redis:7.0.4-alpine image, and it found the high saverity vulnerabilities library from busybox-1.35.0-r15.apk.

@wglambert
Copy link

The busybox package is fully up to date so there's nothing actionable we can do, in about a month the image will be updated and rebuilt on its usual cadence so maybe they'll have patches for those. They don't seem particularly relevant to the this image's environment and usage.

I would make sure your redis image isn't publicly accessible and you've read https://github.com/docker-library/docs/tree/master/redis#security then you shouldn't have any worries

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wglambert @bighb69738