CVE-2023-4863 in nginx-unprivileged image

[rghorpade-mdsol]

The latest nginx-unprivileged:1.23.3-alpine
image version for the sumologic-kubernetes-collection chart (chart version 3.16.2, nginx-unprivileged image version public.ecr.aws/sumologic/nginx-unprivileged:1.23.3-alpine
), has 1 critical vulnerability and 9 high vulnerabilities, found by aws ecr vulnerability scans. We are currently working to drive both of these categories to 0 in images running in our kubernetes cluster. Is there a time line where we can expect these to be addressed in your image? And does sumo have a plan to keep these categories at 0 (or as close as possible as new issues are found) going forward?

[rghorpade-mdsol]

list of vulnerabilities

Component	Version	Vulnerability	Severity
curl	7.88.1-r1	CVE-2023-38545	critical
libwebp	1.2.4-r1	CVE-2023-4863	high
nghttp2	1.51.0-r0	CVE-2023-44487	high
libx11	1.8.4-r0	CVE-2023-43787	high
curl	7.88.1-r1	CVE-2023-38039	high
nghttp2	1.51.0-r0	CVE-2023-35945	high
libx11	1.8.4-r0	CVE-2023-3138	high
ncurses	6.3_p20221119-r0	CVE-2023-29491	high
curl	7.88.1-r1	CVE-2023-28319	high
libwebp	1.2.4-r1	CVE-2023-1999	high

[aboguszewski-sumo]

Hi Rajendra, thanks for creating the issue.

Are you sure the scan was performed correctly? For Helm Chart v3.16.2 we already use nginx-privileged:1.25.2-alpine as can be seen here:

sumologic-kubernetes-collection/deploy/helm/sumologic/values.yaml

Lines 614 to 617 in 6bf9b71

	image:
	repository: public.ecr.aws/sumologic/nginx-unprivileged
	tag: 1.25.2-alpine
	pullPolicy: IfNotPresent

[lreed-mdsol]

I can corroborate what Rajendra is saying but also add some details as the problem is also in the updated 1.25.2 version.

It seems that public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine also has the newer CVE-2023-4863 / libwebp issue.

A Prisma scan shows this:

Image public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine
IDsha 256:d4de341be3aae88defd0b484928d44ecc5044cbd0295f31086ca885f60ab88d3
OS distributionAlpine Linux v3.18
OS release3.18.3
Digest sha256:af39a3d5091b93b8afc3420fdc35787d560578486790c1844767374d278014f1
Start time Oct 31, 2023 1:16:27 AM (2 days ago)

Type | Highest severity | Description
OS | critical | curl (used in libcurl, curl) version 8.2.1-r0 has 2 vulnerabilities
OS | high | nghttp2 (used in nghttp2-libs) version 1.55.1-r0 has 1 vulnerability
OS | high | libx11 version 1.8.4-r4 has 1 vulnerability
OS | high | libwebp version 1.3.1-r0 has 1 vulnerability

I also just did a trivy scan.

public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine (alpine 3.18.3)
Total: 7 (HIGH: 5, CRITICAL: 2)
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
│ curl │ CVE-2023-38545 │ CRITICAL │ 8.2.1-r0 │ 8.4.0-r0 │ heap based buffer overflow in the SOCKS5 proxy
│ │ CVE-2023-38039 │ HIGH │ │ 8.3.0-r0 │ out of heap memory issue due to missing limit on header
│ libcurl │ CVE-2023-38545 │ CRITICAL │ │ 8.4.0-r0 │ heap based buffer overflow in the SOCKS5 proxy
│ │ CVE-2023-38039 │ HIGH │ │ 8.3.0-r0 │ out of heap memory issue due to missing limit on header
│ libwebp │ CVE-2023-4863 │ │ 1.3.1-r0 │ 1.3.1-r1 │ Heap buffer overflow in WebP Codec │
│ libx11 │ CVE-2023-43787 │ │ 1.8.4-r4 │ 1.8.7-r0 │ integer overflow in XCreateImage() leading to a heap
│ nghttp2-libs │ CVE-2023-44487 │ │ 1.55.1-r0 │ 1.57.0-r0 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │

I don't have an AWS ECR scan handy yet.

[lreed-mdsol]

It looks like the issues in Alpine were patched in https://alpinelinux.org/posts/Alpine-3.18.4-released.html

main/libwebp: upgrade to 1.3.2
jane400 (1):
main/libwebp: patch CVE-2023-4863

Thanks for looking into this!

[lreed-mdsol]

Did some more digging.
It looks like the fixes for all but the latest CVE's are in public.ecr.aws/nginx/nginx-unprivileged:1.25-alpine3.18

public.ecr.aws/nginx/nginx-unprivileged:1.25-alpine3.18 (alpine 3.18.4)

Total: 1 (HIGH: 1, CRITICAL: 0)
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
│ libx11 │ CVE-2023-43787 │ HIGH │ 1.8.4-r4 │ 1.8.7-r0 │ integer overflow in XCreateImage() leading to a heap │

There are other fixes on the way, but they might be delayed:
Update mainline NGINX to 1.25.3 #167
nginxinc/docker-nginx-unprivileged#167

It looks like it might take a few days+ to work out the latest changes.

Might it be worthwhile to put in a PR for tag: 1.25-alpine3.18 to get the latest updates if 1.25.3 might be delayed?

[swiatekm]

Hey, thank you both for the detailed investigation! I think we should just upgrade to whatever is available, since we wanted to issue new releases this week anyway. Once nginx gets 1.25.3 out, we can upgrade to that one separately.

One somewhat annoying thing about the nginx-unprivileged repository is that most (all?) of the tags move. What I ended up doing is simply rehosting the current 1.25.2-alpine image as 1.25.2-alpine-sumo-1 to indicate the change. My scanner shows the same output as yours @lreed-mdsol for this image.

[lreed-mdsol]

Thanks for your help on this!!!
Do you plan to release a new version of the Helm chart soon?

[swiatekm]

Released 3.17.0 and 4.1.0 containing this fixe earlier today.