Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical vulnerabilities on keydb 6.3.4 image #880

Open
diecgia opened this issue Nov 21, 2024 · 6 comments
Open

Critical vulnerabilities on keydb 6.3.4 image #880

diecgia opened this issue Nov 21, 2024 · 6 comments

Comments

@diecgia
Copy link

diecgia commented Nov 21, 2024

Hi,
The keydb 6.3.4 image is affected by the following critical vulnerabilities:
CVE-2024-24790, CVE-2023-24540, CVE-2023-24538, CVE-2022-23806

Would it be possible to update the image to fix these vulnerabilities?

Thanks for your help

@keithchew
Copy link

Hmm, the CVEs above is for golang, but keydb uses cpp/c?

@diecgia
Copy link
Author

diecgia commented Nov 25, 2024

Yes, but these vulnerabilities are on eqalpha/keydb:latest image, which use ubuntu 20.04.

@keithchew
Copy link

keithchew commented Nov 25, 2024

I do not use keydb's image, but have built my own (also based on ubuntu 20.04). I cannot see go installed by default:

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"

# go
bash: go: command not found

Can you confirm if the CVEs only affect keydb's image and not ubuntu 20.04 based images?

@diecgia
Copy link
Author

diecgia commented Nov 25, 2024

The CVEs only affect keydb's image, I have scanned the ubuntu image and it doesn't have these vulnerabilities.
It's probably some of the dependencies installed in the dockerfile.

@keithchew
Copy link

Ah indeed. I can see in machamp_scripts/Dockerfile:

# use gosu for easy step-down from root: https://github.com/tianon/gosu/releases
ENV GOSU_VERSION 1.14
RUN set -eux; \
        savedAptMark="$(apt-mark showmanual)"; \
        apt-get update; \
        apt-get -o Dpkg::Options::="--force-confnew" install -y --no-install-recommends ca-certificates dirmngr gnupg wget; \
        rm -rf /var/lib/apt/lists/*; \
        dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
        wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \

Likely that is the dependency that is running an older version of go. For those who can build their own image, perhaps you can try a later version using GOSU_VERSION...

@diecgia
Copy link
Author

diecgia commented Nov 25, 2024

Yes, the vulnerabilities are for this package. I built an image from ubuntu and installing gosu 1.17 and the CVE-2022-23806 is fixed, but it's still affected by the other critical vulnerabilities. The following issue is created in gosu: tianon/gosu#136

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants