Docker container contains security vulnerabilites
Description
How to test
How to document
Activity
Luke Hankins April 7, 2021 at 8:54 PM
Thanks for your analysis, John, that'll help get this through our security team. I'll consider this issue closed.
John Lionis April 7, 2021 at 4:10 PM
Hi Luke,
Thank you for the heads up on this.
Based on our initial research and to the best of our knowledge on this it seems like the pmm-server docker image is not affected by any of the reported vulnerabilities.
None of the affected products reported by Redhat (since this image is Centos based) is present in the docker image under discussion. The single package present that is relevant to these vulnerabilities
is libicu.x86_64 50.2-4.el7_7 (and probably this is the reason for the GCP scanner to flag these vulns) which is only reported to be affected by the way it is used by specific versions of JRE,Chromium and Chrome which are also not present in the image. For reference you can check the links below:
https://access.redhat.com/security/cve/cve-2013-2383
https://access.redhat.com/security/cve/cve-2014-7926
https://access.redhat.com/security/cve/cve-2013-1569
https://access.redhat.com/security/cve/cve-2014-7923
https://access.redhat.com/errata/RHSA-2015:0093
https://access.redhat.com/security/cve/cve-2013-2384
Also you can find the original report of this bug if you want to confirm , here : https://bugs.chromium.org/p/chromium/issues/detail?id=430353
In conclusion and as far as I can tell I would consider these as false positives . Please let me know if you have more concerns on this as I would be more than happy to discuss on them.
Best Regards,
John Lionis
Jr Security Engineer @ Percona
Alex Demidoff April 7, 2021 at 8:35 AMEdited
Hi !
Thanks for reporting this. To investigate the vulnerabilities we have run the GCP security scanner on `percona/pmm-server:2.15.1`.
One of the CVEs you listed above is not confirmed - https://security-tracker.debian.org/tracker/CVE-2013-2383 since there is no JRE runtime installed in PMM 2.15.1 (pls run `yum list installed | grep java` to see which repo you have installed it from).
We are currently investigating these and will get back to you soon with an answer.
When we pull the latest PMM docker image (https://hub.docker.com/r/percona/pmm-server, 2.15.1 as of this writing) and put it into Google's image registry, they scan it and it comes up with a number of vulnerabilities. Can these be remediated or should we configure our tools to ignore them and allow the image to be used?
https://security-tracker.debian.org/tracker/CVE-2013-2383
"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2384, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"handling of [a] glyph table\" in the International Components for Unicode (ICU) Layout Engine before 51.2."
https://security-tracker.debian.org/tracker/CVE-2014-7926
"The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier."
https://security-tracker.debian.org/tracker/CVE-2013-1569
"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"checking of [a] glyph table\" in the International Components for Unicode (ICU) Layout Engine before 51.2."
https://security-tracker.debian.org/tracker/CVE-2014-7923
"The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression."
https://security-tracker.debian.org/tracker/CVE-2013-2384
"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"font layout\" in the International Components for Unicode (ICU) Layout Engine before 51.2."