Vulnerabilities in cimg images

nroose · July 25, 2022, 9:23pm

The cimg/base:stable image and other cimg images seem to have a lot of vulnerabilities, including critical ones, such as NVD - CVE-2022-1996, and doing an update doesn’t fix it.

owenjoliver · July 28, 2022, 3:15pm

Hello

Would it be possible to raise a support request for this using the link below our team will be happy to look into this and raise it with our team.

https://support.circleci.com/hc/en-us/requests/new

Kind Regards
Owen Oliver

rit1010 · July 28, 2022, 10:23pm

Doing updates can not resolve this CVE at the moment as the circleci image is built on top of Ubuntu and their current status regarding the issue can be found here

  https://ubuntu.com/security/CVE-2022-1996

If you build any docker images and store them at Docker Hub you will by now know just how many vulnerabilities exist as Docker Hub provides access to the scanner from snyk and unless you were to build using alpha code from all the product providers there is just about no real way to reduce the list of issues. As the vulnerabilities can not be removed the main defence is how you are using the deployed environment system.

In terms of NVD - CVE-2022-1996 the issue only shows up if you are running go restful code that defines an array of domains allowed as part of the CORS policy. So it is a nasty issue for go programmers and the issue will really show up where their application is finally deployed in the real world, rather than within a CI test environment unless the environment is open to the world.

The original report with full details can be found here

   https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/

FelicianoTech · July 29, 2022, 3:40pm

Hi,

A couple of notes here:

Please use cimg/base:current instead of cimg/base:stable. The latter is deprecated and won’t be updated very soon.
If there are CVEs present in an image, and they come from system packages, an apt-get update && apt-get install <the-package> should bring in the fix. As someone else in this thread mentioned, this will only work for packages that have fixes. That’s not always the case.
If there’s a CVE from a 3rd-party package, it likely won’t be fixed until a newer image release when it will be updated. The vast majority of CVEs we come across in the CI world on our platform aren’t actual risks due to the nature of our infrastructure: passwordless sudo, sandboxing, etc. In the rare situation where this is a serious CVE that could cause problems, we will fix it in an already published image.

nroose · September 12, 2022, 4:56pm

I guess I agree about #3, but arguably the largest hack ever, the Solarwinds hack, was an attack on a build system, so please do take this seriously and keep it updated. I know first hand that it is not convenient to do frequent updates, but please update it at least once a month.

Topic		Replies	Views
CircleCI Images & OpenSSL CVE-2022-3602, CVE-2022-3786 Announcements security , convenience-images , cimg , openssl , cve	0	1565	November 1, 2022
CircleCI イメージと OpenSSL の脆弱性情報 (CVE-2022-3602、CVE-2022-3786) Community convenience-images , cimg , ja-日本語 , openssl , cve	0	1472	November 2, 2022
Unable to `docker build` an image `FROM cimg/base:current-22.04` Build Environment remote-docker	2	6343	June 9, 2022
Ubuntu 20.04 & Next-Gen Convenience Images CircleCI Images docker , convenience-images , base-image , ubuntu	0	4627	July 8, 2020
Docker Convenience Image Updates: May 2020 Announcements docker , convenience-images	0	1370	May 4, 2020

Vulnerabilities in cimg images

Related Topics