Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Zipkin to address vulnerable version of protobuf-java/netty-common/etc. #230

Closed
hydrapolic opened this issue Nov 19, 2024 · 7 comments
Closed

Update Zipkin to address vulnerable version of protobuf-java/netty-common/etc. #230

hydrapolic opened this issue Nov 19, 2024 · 7 comments
Labels
bug

Comments

@hydrapolic
Copy link
Contributor

hydrapolic commented Nov 19, 2024
edited
Loading

Describe the Bug

The current container (openzipkin/zipkin-gcp:2.2.5) is reported to contain multiple vulnerable components.

openzipkin/zipkin-gcp:2.2.5 (alpine 3.20.2)

Total: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 8, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42364 │ MEDIUM   │ fixed  │ 1.36.1-r29        │ 1.36.1-r30    │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                │
├───────────────┼────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-6119  │          │        │ 3.3.1-r3          │ 3.3.2-r0      │ openssl: Possible denial of service in X.509 name checks  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6119                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-9143  │ LOW      │        │                   │ 3.3.2-r3      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│               │                │          │        │                   │               │ memory access                                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                 │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2024-6119  │ MEDIUM   │        │                   │ 3.3.2-r0      │ openssl: Possible denial of service in X.509 name checks  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6119                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-9143  │ LOW      │        │                   │ 3.3.2-r3      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│               │                │          │        │                   │               │ memory access                                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                 │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42364 │ MEDIUM   │        │ 1.36.1-r29        │ 1.36.1-r30    │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Java (jar)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │            Fixed Version             │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ com.google.protobuf:protobuf-java (protobuf-java-3.25.3.jar) │ CVE-2024-7254  │ HIGH     │ fixed  │ 3.25.3            │ 3.25.5, 4.27.5, 4.28.2               │ protobuf: StackOverflow vulnerability in Protocol Buffers   │
│                                                              │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2024-7254                   │
├──────────────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ io.netty:netty-common (netty-common-4.1.112.Final.jar)       │ CVE-2024-47535 │          │        │ 4.1.112.Final     │ 4.1.115                              │ netty: Denial of Service attack on windows app using Netty  │
│                                                              │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2024-47535                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-loader-classic          │ CVE-2024-38807 │ MEDIUM   │        │ 3.3.2             │ 2.7.22, 3.0.17, 3.1.13, 3.2.9, 3.3.3 │ Applications that use spring-boot-loaderor                  │
│ (spring-boot-loader-classic-3.3.2.jar)                       │                │          │        │                   │                                      │ spring-boot-loader-classica ...                             │
│                                                              │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2024-38807                  │
├──────────────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.springframework:spring-context                           │ CVE-2024-38820 │          │        │ 6.1.11            │ 6.1.14                               │ The fix for CVE-2022-22968 made disallowedFieldspatterns in │
│ (spring-context-6.1.11.jar)                                  │                │          │        │                   │                                      │ DataBinder ...                                              │
│                                                              │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2024-38820                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Steps to Reproduce

trivy image --ignore-unfixed openzipkin/zipkin-gcp:2.2.5

Expected Behaviour

Ideally no known vulnerabilities.
@hydrapolic hydrapolic added the bug label Nov 19, 2024
@hydrapolic hydrapolic mentioned this issue Nov 19, 2024
Closed
@reta
Copy link
Contributor

reta commented Nov 19, 2024

openzipkin/docker-java#92 updates Docker images

@shakuzen
Copy link
Member

With #232 merged, I believe this should be addressed - trivy is passing now.

@hydrapolic
Copy link
Contributor Author

Great, thanks!

@hydrapolic
Copy link
Contributor Author

Any chance for a new tag/docker image where the vulnerability scan is clean please?

@shakuzen
Copy link
Member

I'd like to get #228 sorted, and then I think we can do a new release.

@hydrapolic
Copy link
Contributor Author

I'd like to get #228 sorted, and then I think we can do a new release.

Sounds perfect, thank you!

@shakuzen
Copy link
Member

shakuzen commented Dec 5, 2024

2.2.6 is released now with this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependencies hydrapolic/zipkin-gcp
3 participants
@reta @hydrapolic @shakuzen