Vulnerabilities in cimg images

The cimg/base:stable image and other cimg images seem to have a lot of vulnerabilities, including critical ones, such as NVD - CVE-2022-1996, and doing an update doesn’t fix it.

Hello

Would it be possible to raise a support request for this using the link below our team will be happy to look into this and raise it with our team.

https://support.circleci.com/hc/en-us/requests/new

Kind Regards
Owen Oliver

Doing updates can not resolve this CVE at the moment as the circleci image is built on top of Ubuntu and their current status regarding the issue can be found here

  https://ubuntu.com/security/CVE-2022-1996

If you build any docker images and store them at Docker Hub you will by now know just how many vulnerabilities exist as Docker Hub provides access to the scanner from snyk and unless you were to build using alpha code from all the product providers there is just about no real way to reduce the list of issues. As the vulnerabilities can not be removed the main defence is how you are using the deployed environment system.

In terms of NVD - CVE-2022-1996 the issue only shows up if you are running go restful code that defines an array of domains allowed as part of the CORS policy. So it is a nasty issue for go programmers and the issue will really show up where their application is finally deployed in the real world, rather than within a CI test environment unless the environment is open to the world.

The original report with full details can be found here

   https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/

Hi,

A couple of notes here:

  1. Please use cimg/base:current instead of cimg/base:stable. The latter is deprecated and won’t be updated very soon.
  2. If there are CVEs present in an image, and they come from system packages, an apt-get update && apt-get install <the-package> should bring in the fix. As someone else in this thread mentioned, this will only work for packages that have fixes. That’s not always the case.
  3. If there’s a CVE from a 3rd-party package, it likely won’t be fixed until a newer image release when it will be updated. The vast majority of CVEs we come across in the CI world on our platform aren’t actual risks due to the nature of our infrastructure: passwordless sudo, sandboxing, etc. In the rare situation where this is a serious CVE that could cause problems, we will fix it in an already published image.