Question 83735 in Docker Question posted in
The official documentation can be found here.

pyup.io-43366 (CVE-2021-43818) Vulnerability in base image for docker

I have a docker base image when uploaded to quay image repository give the vulnerability pyup.io-43366 (CVE-2021-43818).

The base image is

FROM quay/registry.redhat.io/rhel7:latest
MAINTAINER Me

LABEL description="Application runtime image" 
      name="Image name" 
      version="1.0"

ENV LANG en_US.UTF-8

RUN yum-config-manager  
    && yum -y install java-11-openjdk 
    && yum -y clean all
CMD ["/bin/bash"]

Is there any way I can overcome this vulnerability?

Tags:

2

Answers


  1. 0

    "stop using latest" — "what tag should I give?"

    First, you can list tags from rhel7, using the regclient project from Brandon Mitchell (sudo-bmitch, top contributor on Stack Overflow), with:

    alias dr='docker run -it --rm'
# on Windows
dockey dr=docker run -it --rm $*


dr regclient/regctl:latest tag ls registry.access.redhat.com/rhel7| 
  grep -Ev (source|[0-9][0-9][0-9][0-9])

    (on Windows: grep -Ev (source^|[0-9][0-9][0-9][0-9]): note the ^)

    Second, I do not see CVE-2021-43818 in latest, using anchore/grype

    docker run anchore/grype:latest registry.access.redhat.com/rhel7:latest | grep 2021

    The closest is CVE-2021-3541, a flaw was found in libxml2-python.

    In your case, considering Lxml 4.6.5 includes a fix for CVE-2021-43818, you would need an image with Lxml 4.6.5+.

    If that image does not exist yet, you could docker build your own starting FROM registry.access.redhat.com/rhel7:7.9, and adding the right libxml.
    And publish it to Quay.

    Login or Signup to reply.
  2. 0

    Red Hat provides this information describing how the issue affects different products versions.

    As described in the aforementioned link, it seems that no mitigation is provided:

    Mitigation for this issue is either not available or the currently
    available options do not meet the Red Hat Product Security criteria
    comprising ease of use and deployment, applicability to widespread
    installation base or stability.

    In the specific use case of Red Hat Enterprise Linux 7, they indicate the product is "Out of support scope":

    When a product is listed as "Out of Support Scope", it means a
    vulnerability with the impact level assigned to this CVE is no longer
    covered by its current support lifecycle phase. The product has
    been identified to contain the impacted component, but analysis to
    determine whether it is affected or not by this vulnerability was not
    performed. The product should be assumed to be affected. Customers are
    advised to apply any mitigation options documented on this page, consider
    removing or disabling the impacted component, or upgrade to a supported
    version of the product that has an update available.

    This may explain, as VonC indicated in his question, why Grype doesn’t report the problem.

    If you need your image just for running Java, one thing you could try is removing the dependency, but I am afraid it is required by other libraries, so probably it will not work.

    Please, take my words with caution because it entirely depends on your actual use case, but you may "safely" use your image as well. From the cited docs again:

    This flaw is rated as Moderate because code execution is limited to the web
    browser scope.

    In fact, Red Hat itself provides similar images with the same problem.

    Finally, if using Red Hat is not a strict requirement, you can choose another different Java distribution like OpenJDK or AdoptOpenJDK. For example:

    docker pull openjdk:11.0.14.1-jdk
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search