Docker-nginx: nginx:alpine CVE-2020-24977

Created on 18 Sep 2020  路  18Comments  路  Source: nginxinc/docker-nginx

Hello,
nginx:1.19.2-alpine is affected by CVE-2020-24977, from libxml2

We detected this issue today using trivy.

Most helpful comment

@allanchua101 When I rebuild the image locally, vulnerabilities are no longer detected.

What I would like to understand is, how would a new image release could be triggered without a code/Dockerfile change, and what the version of such an image would be?

All 18 comments

After a few tests, upgrading to alpine 3.12.0 fixes the CVE

nginx:1.19.2-alpine is using alpine 3.12, so I guess this is fixed?

Well sorry about that, it turns out that 3.12 does not fix the CVE

The vulnerability isn't in the alpine layer - libxml2 is installed during the apk add libxslt-dev during the build for the nginx image. Doing that apk add now installs libxml2 2.9.10-r5 which has the fix for CVE-2020-24977 instead of the vulnerable 2.9.10-r4 version of libxml2, so probably rebuilding the image would fix it?

Makes sense, I guess that's why my home built image would pass the security scan. What would be the process to make suche rebuilt image official?

CVE-2020-8169 and CVE-2020-8177 are now also reported for libcurl / curl.

Does anybody have a sample dockerfile to resolve this issue?

@allanchua101 When I rebuild the image locally, vulnerabilities are no longer detected.

What I would like to understand is, how would a new image release could be triggered without a code/Dockerfile change, and what the version of such an image would be?

Tnx @NicolasFloquet! You are superman :D I figured out that I utilized 1.19.0 which have 3 vulnerabilities. Tnx!

What I would like to understand is, how would a new image release could be triggered without a code/Dockerfile change, and what the version of such an image would be?

Tags in the library file are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:jessie would be rebuilt when debian:jessie is built). Only what is in the library file will be rebuilt when a base has updates.

- https://github.com/docker-library/official-images/tree/c88a72bc11ef231ba20731491647f1e9b58e450b#library-definition-files

So, the tag, like nginx:1.19.2-alpine, would be overwritten if the alpine:3.12 image is updated.


Note that, unfortunately, the alpine:3.x images seem to only be updated when the vulnerability is in packages included in the base image and they then make a patch release (like https://github.com/docker-library/official-images/pull/7867); see the changes in official-image PRs with the library/alpine label. On the other hand, all active debian:[suite] images are regenerated at least on a monthly basis (see also that last few paragraphs of our faq section on CVEs).

@allanchua101 When I rebuild the image locally, vulnerabilities are no longer detected.

What I would like to understand is, how would a new image release could be triggered without a code/Dockerfile change, and what the version of such an image would be?

Hi @NicolasFloquet, could you please share the commands that run on your dockerfile to get the image rebuild locally?

According to the releases feed on http://nginx.org/, nginx mainline 1.19.3 was released 2020-09-29.

Presumably, an updated image would include the latest libxml among other changes, resolving this CVE.

Thanks for notifying me @jeremyhayes!!

Thanks @NicolasFloquet for bringing me here. Do we know when the images be updated?

@JfrogPrasanna @jeremyhayes i've created pull request for Nginx version bump

Will be fixed really once https://github.com/docker-library/official-images/pull/8838 is merged.

Thanks @NicolasFloquet !

I just pulled nginx:1.19-alpine and confirmed tag refers to same as nginx:1.19.3-alpine. Ran image through our security scanning tool which validated that the CVE is resolved and libxml is updated to r5. Confirmed all good on dockerhub now.

Fixed on my side too:

nginx:1.19.3-alpine (alpine 3.12.0)
===================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Was this page helpful?
0 / 5 - 0 ratings