Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

builder-noble-java-tiny contains openssl-3.0.13 flagged with CVE-2024-5535 CVE-2024-6119 CVE-2024-4741 #37

Open
patpatpat123 opened this issue Feb 6, 2025 · 11 comments
Open

builder-noble-java-tiny contains openssl-3.0.13 flagged with CVE-2024-5535 CVE-2024-6119 CVE-2024-4741 #37

patpatpat123 opened this issue Feb 6, 2025 · 11 comments

Comments

@patpatpat123
Copy link

Hello team,

We have many paid software programs that scan the content of the container to detect vulnerabilities.

All of our tools flag the following:

https://nvd.nist.gov/vuln/detail/CVE-2024-4741

https://nvd.nist.gov/vuln/detail/CVE-2024-6119

https://nvd.nist.gov/vuln/detail/CVE-2024-5535

Looking at the Deb/dpkg package, the vulnerable version is being confirmed.

I have verified that the binary exists in the container.
@dmikusa
Copy link
Contributor

dmikusa commented Feb 6, 2025

I clicked through on the CVEs you referenced, and they are all still listed as awaiting analysis. Have you confirmed that these are patched in the latest Ubuntu Noble release?

As policy states here, Paketo cannot update until Ubuntu has done so first. We will strive to push out updates for high and critical issues in 48 hours and two weeks for medium and low issues.

Please also be aware that this is an OSS project. We cannot and do not have enough volunteers to take every report a scanner generates and debug it for you. If you're seeing an issue with an automated scanning report, the first thing you should do is assume that it's wrong until proven otherwise. Then investigate and confirm that it is in fact an issue. The expectation is that you will do the leg work, like making sure upstream Ubuntu has patched so that a fix is available. If you require a higher degree of help, then I would suggest looking for a paid support contract with buildpacks.

I am writing this because we've had a similar conversation on another issue where the tooling you run generated false positives. I'm sympathetic because the BOM material that we generated was not very clear, but that is exactly why we ask for a manual investigation of scanner-flagged issues before reporting them to the project.

Thanks

@dmikusa
Copy link
Contributor

dmikusa commented Feb 6, 2025

The steps that I would suggest for someone to investigate a scanner-reported issue are:

  1. Check the upstream Ubuntu image. Is it also flagged? Has Ubuntu reported a fix? https://ubuntu.com/security/notices
  2. If there is a fix, has the fix been incorporated into the corresponding Paketo stack image? i.e. if check the image, has it been updated to include the fixed package? See the stack repo for details, https://github.com/paketo-buildpacks/noble-tiny-stack.
  3. If the stack has been updated, has the builder been updated? See here for the stack version in the builder. If the builder has been updated, has a release been generated since it was updated? This process is automatic but occasionally hits snags and needs a manual prodding.

@patpatpat123
Copy link
Author

patpatpat123 commented Feb 12, 2025
edited
Loading

Hello @dmikusa ,

Thank you for the writing.
Responses are below:

"I clicked through on the CVEs you referenced, and they are all still listed as awaiting analysis. Have you confirmed that these are patched in the latest Ubuntu Noble release?"

NVD data is being enhanced by CISA

"Then investigate and confirm that it is in fact an issue"

At this point, there are engineers from 3 different companies for security analysis who took the container and confirmed the vulnerability.

"I'm sympathetic because the BOM material that we generated was not very clear,"

One of the many companies we are working with is actually Anchore, which maintains Syft.

We have the highest tier of license with them. I would like to help with the Syft issue, as it seems the way it is currently used might not be optimal.

Could you please let me know what version of syft are you guys using? Do you have any specific configuration being used?

(By the way, Anchore also confirmed this vulnerability is not a false positive)

Thank you in advance for the answers.

@dmikusa
Copy link
Contributor

dmikusa commented Feb 12, 2025

Can you provide the specific information listed in this comment? Saying it's vulnerable isn't sufficient, we need specifics in relation to the images in question. If you can answer those three questions, that should be enough.

@patpatpat123
Copy link
Author

Check the upstream Ubuntu image. Is it also flagged? Has Ubuntu reported a fix? https://ubuntu.com/security/notices

=> https://ubuntu.com/security/notices/USN-6937-1
But we do not think it is a Ubuntu issue.
We have the enterprise license with Ubuntu, and told them about this CVE.

They also mentioned 3.0.13-0ubuntu3.4 should be good

@patpatpat123
Copy link
Author

If there is a fix, has the fix been incorporated into the corresponding Paketo stack image? i.e. if check the image, has it been updated to include the fixed package? See the stack repo for details, https://github.com/paketo-buildpacks/noble-tiny-stack.

=> I am not sure how to check that. How can each and every buildpack users check if a fix is included in which version of which buildpack?

Image

@patpatpat123
Copy link
Author

With that said, this seems not to be an Ubuntu problem, but a buildpack-specific problem, where the buildpack includes two different versions of openssl, and that is possible.

For instance, this is from an older example, but a vulnerable and a non-vulnerable version can exist.
This is showing that the openssl package contains the openssl binary, so these are two different things

apt show openssl

Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 2053
Maintainer: Ubuntu Developers <[[email protected]](mailto:[email protected])>
Architecture: amd64
Multi-Arch: foreign
Version: 3.0.2-0ubuntu1.18
Depends: libc6 (>= 2.34), libssl3 (>= 3.0.2-0ubuntu1.2)
Suggests: ca-certificates
Conffiles:
 /etc/ssl/openssl.cnf 6b4a72a4ce84bab35d884e536295e14f
Description: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Homepage: https://www.openssl.org/
Original-Maintainer: Debian OpenSSL Team <[[email protected]](mailto:[email protected])>

There is one that is vulnerable, and one that is not. In total, two.
When going inside the container, I can also see both are here.

@patpatpat123
Copy link
Author

Can you also confirm both versions are existing together please @dmikusa ?

@dmikusa
Copy link
Contributor

dmikusa commented Feb 14, 2025

=> I am not sure how to check that. How can each and every buildpack users check if a fix is included in which version of which buildpack?

The release notes include the USNs that have been patched in each release. See https://github.com/paketo-buildpacks/noble-tiny-stack/releases/tag/v0.0.6 which is where USN-6937-1 was patched.

@patpatpat123
Copy link
Author

Thank you for the answer @dmikusa .

With that said, several container scan companies think there are two different files.

One that is patched and safe (as you showed)

another one, a second, that is vulnerable.

The proof is that it is possible to have two files in one same layer, as shown here:

apt show openssl

Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 2053
Maintainer: Ubuntu Developers <[[email protected]](mailto:[email protected])>
Architecture: amd64
Multi-Arch: foreign
Version: 3.0.2-0ubuntu1.18
Depends: libc6 (>= 2.34), libssl3 (>= 3.0.2-0ubuntu1.2)
Suggests: ca-certificates
Conffiles:
 /etc/ssl/openssl.cnf 6b4a72a4ce84bab35d884e536295e14f
Description: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Homepage: https://www.openssl.org/
Original-Maintainer: Debian OpenSSL Team <[[email protected]](mailto:[email protected])>

@patpatpat123
Copy link
Author

And if you believe it is not a "two files, one vulnerable and one not" issue, but a Syft issue, here is the issue tracker:

paketo-buildpacks/jammy-base-stack#190

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmikusa @patpatpat123