Suddenly one day, you realize your current Image is being discovered by Amazon ECR Basic Scan with a series of security holes: 1 CRITICAL, 8 HIGH… What to do @@ ? Then let’s try to read this article to find out how to solve that problem, Gét go!
1 Concepts to know before reading the article
- Amazon ECR Basic Scan : Image vulnerability scanning service is hosted on AWS ECR, using vulnerability data that is public at CVE (so you will often see vulnerabilities AWS finds will be there). key in CVE-year-code format)
- CVE : Short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. To help IT professionals make a concerted effort to prioritize and address these vulnerabilities, to make computer systems more secure.
- LTS : stands for “Long-term support”, is a long-term support policy for software (For example, Linux Mint operating system version 13 is the version of LTS Long-term Support, the time of support. This version support lasts for 3 to 5 years, while version 16 that is not an LTS version will only have a support period of 6 months.)
2 Analysis of vulnerabilities
The image I’m currently using is based on the image php-8.0-fpm-bullseye (OS image: debian:bullseye-slim) so I will learn and analyze the flaws on this image!
Here is an overview of our scanned AWS vulnerabilities:
Ignore (Small problem because it has to do with a special wireless device)Close
Bypass(Slight effect on system architecture)close
| Vulnerability code | Package name | Importance | Debian’s Taxonomy | My conclusion | Status |
|---|---|---|---|---|---|
| CVE-2019-19814 | linux:5.10.127-1 | CRITICAL | no-dsa / Minor issue | Skip | Close |
| CVE-2019-8457 | db5.3:5.3.28+dfsg1-0.8 | HIGHLIGHTS | no-dsa / Minor issue | Skip | Close |
| CVE-2022-24765 | git:1:2.30.2-1 | HIGHLIGHTS | no-dsa / Minor issue | Skip | Close |
| CVE-2022-29187 | git:1:2.30.2-1 | HIGHLIGHTS | no-dsa / Minor issue | Skip | Close |
| CVE-2022-1679 | linux:5.10.127-1 | HIGHLIGHTS | |||
| CVE-2013-7445 | linux:5.10.127-1 | HIGHLIGHTS | ignored / Minor issue, requires invasive changes | Skip | Close |
| CVE-2021-3847 | linux:5.10.127-1 | HIGHLIGHTS | |||
| CVE-2019-15794 | linux:5.10.127-1 | HIGHLIGHTS | (fixed bookworm) | Bypass(Slight effect on system architecture) | Close |
| CVE-2021-39686 | linux:5.10.127-1 | HIGHLIGHTS | (fixed buster,bookworm) | If bullseye doesn’t use kernel 5.15, it’s likely not fixed | Open |
Now let’s go into a detailed analysis of some of the vulnerabilities.
CVE-2019-19814
https://security-tracker.debian.org/tracker/CVE-2019-19814
Because the operating system of the Image I am using is based on Debian bullseye, I will focus the information on bullseye and see the following:
- Status: vulnerable
- Notes: [bullseye] – linux <no-dsa> (Minor issue)
- Fixed version: unfixed
Conclusion : Debian bullseye still has no update to fix this vulnerability , moreover in the rating (Notes) it is tagged as no-dsa (Vulnerability to exploit directly. if there is no intervention on the infra side) -> is assessed as a minor issue (Minor issue) -> cannot be fixed.
In the margins:
Debian will not fix all vulnerabilities submitted to CVE, they will evaluate them first and decide whether to fix or not, here are a few tags used in classification and evaluation:
- postponed : Minor issues are not urgent and can be fixed later. However, there are also cases when LTS doesn’t have a support release=> minor issues pile up and serious problems come back.
- ignored : There is a good and strong reason not to fix
- not-affected : Issues unrelated to respective LTS releases
- no-dsa : A problem that is difficult to exploit directly. Problems do not occur without interference to the infrastructure infra
CVE-2021-3847
https://security-tracker.debian.org/tracker/CVE-2021-3847
- Status: vulnerable
- Notes: no category yet
- Fixed version: unfixed
Conclusion : Debian bullseye has not yet had an update to fix this vulnerability , moreover in the Notes section there is no evaluation -> This vulnerability is a vulnerability at the time of mounting the file system. My current application runs on ECS using s3 and Database Manager -> does not mount the file file system , so the impact is assessed to be small. -> can’t be fixed.
3 Try to update the current system
After evaluating in turn and giving an overview table above, I embarked on trying to upgrade the current system and compare the results.
My current image is based on php-8.0-fpm-bullseye , corresponding to that image, there are some public php version upgrade images as below.
I use trivy and scan 1 time the number of vulnerabilities on each image (here I tag ignore-unfixed to remove the number of vulnerabilities that will not be fixed by the operating system), the results are as below:
- php-8.0-fpm-bullseye: 0
- php-8.0.22-fpm-bullseye: 1
- php-8.0.23-fpm-bullseye: 0
- php-8.1-fpm-bullseye: 0
- php-8.1.10-fpm-bullseye: 0
Therefore、if related to 8.0 then there is php-8.0.23-fpm-bullseye is ok、8.1 then there is php-8.1.10-fpm-bullseye -> Suggest raise 1 of these 2 guys。(new version + k) there are any serious vulnerabilities) . In addition, when upgrading, you also need to re-evaluate the relevant packages to see if they are affected.
References about trivy:
https://medium.com/how-tos/how-to-check-your-docker-images-for-vulnerabilities-287bd61aacc6 https://aquasecurity.github.io/trivy/v0.31.3/
4 Conclusion
In short, after getting a list of the current Image’s security holes, what we need to do is:
- Synthesize the base configuration of the current system such as OS, language verison ….
- Based on current system information, re-evaluate the impact and resolution of current vulnerabilities.
- Start testing and come to the right conclusion
This article I refer to completely at https://zenn.dev/starnishi/scraps/f1578f26951399 when my project is also having the same problem, hope it helps everyone.