Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical security vulnerabilities in container image #4856

Open
porscheme opened this issue Nov 11, 2022 · 3 comments
Open

Critical security vulnerabilities in container image #4856

porscheme opened this issue Nov 11, 2022 · 3 comments
Assignees
@Shinji-IkariG
Labels
affects/none PR/issue: this bug affects none version. CVE

Comments

@porscheme
Copy link

Please check the FAQ documentation before raising an issue

Describe the bug (required)
Nebula Version: v.3.2.0
Critical security vulnerabilities in container images detected. Please upgrade the effected components.

Scanning graphd, storaged and metad container images revealed critical security vulnerabilities in below components.

 Name: nss, Version: 3.53.1
      CVE-2021-43527, Severity: CRITICAL, Source: https://access.redhat.com/errata/RHSA-2021:4904
            Fixed version: 3.67.0-4.el7_9

 Name: nss-sysinit, Version: 3.53.1
        Failed policy: Default vulnerabilities policy
        CVE-2021-43527, Severity: CRITICAL, Source: https://access.redhat.com/errata/RHSA-2021:4904
            Fixed version: 3.67.0-4.el7_9

    Name: nss-tools, Version: 3.53.1
        Failed policy: Default vulnerabilities policy
        CVE-2021-43527, Severity: CRITICAL, Source: https://access.redhat.com/errata/RHSA-2021:4904
            Fixed version: 3.67.0-4.el7_9

@wey-gu
@porscheme porscheme added the type/bug Type: something is unexpected label Nov 11, 2022
@wey-gu
Copy link
Contributor

wey-gu commented Nov 11, 2022

cc @Sophie-Xie

@wey-gu
Copy link
Contributor

wey-gu commented Nov 11, 2022

Maybe we should have a label for security/CVE/vulnerabilities?

@Sophie-Xie Sophie-Xie added this to the v3.4.0 milestone Nov 11, 2022
@porscheme
Copy link
Author

In addition to above CTIRICAL, can please also fix below HIGH security vulnerabilities?
I'm happy scan private build.
If you provide proper notes, I'm can build the container with upgraded packages!
Can we have a Zoom session?

Name: gzip, Version: 1.5
        CVE-2022-1271, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:2191
            Fixed version: 1.5-11.el7_9

Name: glib2, Version: 2.56.1
        CVE-2016-3191, Severity: HIGH, Source: https://access.redhat.com/security/cve/CVE-2016-3191
        CVE-2015-8385, Severity: HIGH, Source: https://access.redhat.com/security/cve/CVE-2015-8385
        CVE-2021-27219, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2021:2147
            Fixed version: 2.56.1-9.el7_9

Name: systemd, Version: 219
        CVE-2022-2526, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:6160
            Fixed version: 219-78.el7_9.7

Name: systemd-libs, Version: 219
        CVE-2022-2526, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:6160
            Fixed version: 219-78.el7_9.7

Name: xz, Version: 5.2.2
        CVE-2022-1271, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:5052
            Fixed version: 5.2.2-2.el7_9

Name: expat, Version: 2.1.0
        CVE-2022-25235, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:1069
            Fixed version: 2.1.0-14.el7_9
        CVE-2022-25236, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:1069
            Fixed version: 2.1.0-14.el7_9
        CVE-2022-25315, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:1069
            Fixed version: 2.1.0-14.el7_9
        CVE-2022-40674, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:6834
            Fixed version: 2.1.0-15.el7_9

Name: bind-license, Version: 9.11.4
        CVE-2022-38178, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:6765
            Fixed version: 32:9.11.4-26.P2.el7_9.10
        CVE-2020-8625, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2021:0671
            Fixed version: 32:9.11.4-26.P2.el7_9.4
        CVE-2021-25215, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2021:1469
            Fixed version: 32:9.11.4-26.P2.el7_9.5
        CVE-2022-38177, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:6765
            Fixed version: 32:9.11.4-26.P2.el7_9.10

Name: openssl-libs, Version: 1.0.2k
        CVE-2020-1971, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2020:5566
            Fixed version: 1:1.0.2k-21.el7_9
        CVE-2022-0778, Severity: HIGH, Source: https://access.redhat.com/errata/RHSA-2022:1066
            Fixed version: 1:1.0.2k-25.el7_9

@wey-gu wey-gu mentioned this issue Nov 12, 2022
Closed
@Sophie-Xie Sophie-Xie assigned MuYiYong and unassigned Shinji-IkariG Dec 1, 2022
@HarrisChu HarrisChu added affects/none PR/issue: this bug affects none version. severity/none Severity of bug severity/minor Severity of bug labels Dec 1, 2022
@github-actions github-actions bot removed the severity/none Severity of bug label Dec 7, 2022
@xtcyclist xtcyclist removed type/bug Type: something is unexpected severity/minor Severity of bug labels Dec 21, 2022
@xtcyclist xtcyclist removed this from the v3.4.0 milestone Dec 21, 2022
@xtcyclist xtcyclist assigned dutor and unassigned MuYiYong Dec 21, 2022
@xtcyclist xtcyclist added the CVE label Dec 21, 2022
@dutor dutor assigned Shinji-IkariG and unassigned dutor Mar 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Shinji-IkariG Shinji-IkariG

Labels
affects/none PR/issue: this bug affects none version. CVE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dutor @wey-gu @HarrisChu @xtcyclist @porscheme @Shinji-IkariG @Sophie-Xie @MuYiYong