Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability CVE-2022-23308 for libxml2 #8321

Closed
fred214 opened this issue Mar 10, 2022 · 15 comments
Closed

Vulnerability CVE-2022-23308 for libxml2 #8321

fred214 opened this issue Mar 10, 2022 · 15 comments
Assignees
@strongjz
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@fred214
Copy link

fred214 commented Mar 10, 2022

Hi, our scanner reported libxm2 v2.9.12-r1 has vulnerability, I think it belong to upstream, and already create issue alpinelinux/docker-alpine#240.
I want to know what is the libxm2 used for? https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/rootfs/Dockerfile#L50, maybe I can remove it from base image.
As my understanding Alpine is base binary release, is there any possibility that I can build it like other library which is used for nginx? Thanks a lot
@fred214 fred214 added the kind/bug Categorizes issue or PR as related to a bug. label Mar 10, 2022
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Mar 10, 2022
@longwuyuan
Copy link
Contributor

Please show your scanner's report.

@longwuyuan
Copy link
Contributor

removing label bug until the report is available here to look at

/remove-kind bug

@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. and removed kind/bug Categorizes issue or PR as related to a bug. labels Mar 11, 2022
@longwuyuan
Copy link
Contributor

grype does not see this CVE

image

@fred214
Copy link
Author

fred214 commented Mar 12, 2022

alpinelinux/docker-alpine#240
After I reported the libxml2 has update to 2.9.13-r0 in alpine:3.14 in 2022-03-11 01:00:28, https://pkgs.alpinelinux.org/packages?name=libxml2&branch=v3.14
I will re-scan the image after rebuild

@strongjz
Copy link
Member

My understanding is that Libxml2 is used for XML parsing, https://en.wikipedia.org/wiki/Libxml2

The ngx_http_xslt_module requires Libxml2.

/triage accepted
/kind bug
/priority backlog

Once you get an answer back from the Alpine linux issue we can look to implement that fix.

Thank you,
James

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Mar 14, 2022
@strongjz strongjz self-assigned this Mar 14, 2022
@strongjz
Copy link
Member

we discussed in the community 3/15 about upgrading to alpine 3.15. Let's test that and move forward with the update.

@fred214 can you the post the tool you used for scanning and the CVE for this vunl. Thanks

-James

@cegganesh84
Copy link

Here is my scan report with acquasecurity/trivy

% trivy image --light --exit-code 1 --ignore-unfixed --vuln-type os --severity UNKNOWN,HIGH,CRITICAL k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
2022-03-15T11:08:36.837-0700	WARN	'--light' option is deprecated and will be removed. See also: https://github.com/aquasecurity/trivy/discussions/1649
2022-03-15T11:08:36.920-0700	INFO	Need to update DB
2022-03-15T11:08:36.920-0700	INFO	Downloading DB...
29.92 MiB / 29.92 MiB [------------------------------------------------------------------------------] 100.00% 3.25 MiB p/s 9.4s
2022-03-15T11:08:58.088-0700	INFO	Detected OS: alpine
2022-03-15T11:08:58.088-0700	INFO	Detecting Alpine vulnerabilities...

k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c (alpine 3.14.2)
==================================================================================================================================
Total: 1 (UNKNOWN: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| libxml2 | CVE-2022-23308   | HIGH     | 2.9.12-r1         | 2.9.13-r0     | libxml2: Use-after-free               |
|         |                  |          |                   |               | of ID and IDREF attributes            |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-23308 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

@fred214
Copy link
Author

fred214 commented Mar 16, 2022

The alpine:3.14 has update libxml2 version to 2.9.13-r0 in 2022.3.11, https://pkgs.alpinelinux.org/packages?name=libxml2&branch=v3.14
It has passed our scanner, thanks for the reply

@fred214 fred214 closed this as completed Mar 16, 2022
@longwuyuan
Copy link
Contributor

/reopen

[~]
% docker images | grep -i "ingress-nginx/controller"
k8s.gcr.io/ingress-nginx/controller 7e5c1cecb086 2 weeks ago 286MB

% grype docker images | grep -i "ingress-nginx/controller" | awk '{print $3}'
✔ Vulnerability DB [updated]
New version of grype is available: 0.34.1
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [113 packages]
✔ Scanned image [4 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
google.golang.org/protobuf v1.27.1 CVE-2015-5237 High
google.golang.org/protobuf v1.27.1 CVE-2021-22570 High
libxml2 2.9.12-r1 2.9.13-r0 CVE-2022-23308 High
[~]
% grype k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8
✔ Vulnerability DB [no update available]
New version of grype is available: 0.34.1
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [115 packages]
✔ Scanned image [6 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f Medium
github.com/prometheus/client_golang v1.11.0 CVE-2022-21698 High
google.golang.org/protobuf v1.26.0 CVE-2015-5237 High
google.golang.org/protobuf v1.26.0 CVE-2021-22570 High
libxml2 2.9.12-r1 2.9.13-r0 CVE-2022-23308 High
[~]
%

@k8s-ci-robot
Copy link
Contributor

@longwuyuan: Reopened this issue.

In response to this:

/reopen

[~]
% docker images | grep -i "ingress-nginx/controller"
k8s.gcr.io/ingress-nginx/controller 7e5c1cecb086 2 weeks ago 286MB

% grype docker images | grep -i "ingress-nginx/controller" | awk '{print $3}'
✔ Vulnerability DB [updated]
New version of grype is available: 0.34.1
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [113 packages]
✔ Scanned image [4 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
google.golang.org/protobuf v1.27.1 CVE-2015-5237 High
google.golang.org/protobuf v1.27.1 CVE-2021-22570 High
libxml2 2.9.12-r1 2.9.13-r0 CVE-2022-23308 High
[~]
% grype k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8
✔ Vulnerability DB [no update available]
New version of grype is available: 0.34.1
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [115 packages]
✔ Scanned image [6 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f Medium
github.com/prometheus/client_golang v1.11.0 CVE-2022-21698 High
google.golang.org/protobuf v1.26.0 CVE-2015-5237 High
google.golang.org/protobuf v1.26.0 CVE-2021-22570 High
libxml2 2.9.12-r1 2.9.13-r0 CVE-2022-23308 High
[~]
%

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Mar 16, 2022
@longwuyuan
Copy link
Contributor

@strongjz @rikatz @tao12345666333 , now there are 2 CVEs . This one and #8339 requiring a new base image and promotion.

/priority important-short-term

@k8s-ci-robot
Copy link
Contributor

@longwuyuan: The label(s) priority/important-short-term cannot be applied, because the repository doesn't have them.

In response to this:

@strongjz @rikatz @tao12345666333 , now there are 2 CVEs . This one and #8339 requiring a new base image and promotion.

/priority important-short-term

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@longwuyuan
Copy link
Contributor

/priority important-soon

@k8s-ci-robot k8s-ci-robot added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Mar 16, 2022
This was referenced Mar 16, 2022
Merged
Closed
@strongjz strongjz mentioned this issue Mar 23, 2022
Closed
@longwuyuan longwuyuan mentioned this issue Mar 28, 2022
Merged
@strongjz strongjz mentioned this issue Mar 29, 2022
Closed
4 tasks
@theunrealgeek theunrealgeek mentioned this issue Mar 31, 2022
Merged
9 tasks
@strongjz
Copy link
Member

strongjz commented Apr 1, 2022

patched in https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v.1.1.3

/close

@k8s-ci-robot
Copy link
Contributor

@strongjz: Closing this issue.

In response to this:

patched in https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v.1.1.3

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ubergesundheit ubergesundheit mentioned this issue Apr 1, 2022
Merged
12 tasks
@strongjz strongjz mentioned this issue Apr 2, 2022
Merged
9 tasks
razvan-moj added a commit to ministryofjustice/cloud-platform-terraform-ingress-controller that referenced this issue Apr 11, 2022
@razvan-moj
new chart minor release
2f65512 
 * patches kubernetes/ingress-nginx#8339
 * patches kubernetes/ingress-nginx#8321
@razvan-moj razvan-moj mentioned this issue Apr 11, 2022
Closed
razvan-moj added a commit to ministryofjustice/cloud-platform-terraform-ingress-controller that referenced this issue Apr 11, 2022
@razvan-moj
new chart minor release
a043fc6 
 * patches kubernetes/ingress-nginx#8339
 * patches kubernetes/ingress-nginx#8321
@razvan-moj razvan-moj mentioned this issue Apr 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strongjz strongjz

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@strongjz @longwuyuan @fred214 @cegganesh84 @k8s-ci-robot