Docker-nginx: Security vulnerabilities in 1.20-alpine and 1.21-alpine

Created on 2 Jun 2021  路  9Comments  路  Source: nginxinc/docker-nginx

Hi, today scanned images based on 1.20-alpine and 1.21-alpine reporting some vulnerabilities related do curl:

High: CVE-2021-22901
Medium: CVE-2021-22898

Those applies to both 1.20-alpine and 1.21-alpine, didn't checked other versions.

Most helpful comment

It seems like the alpine version doesn't even need to be updated. Alpine's version of curl is at 7.77. This could be fixed by building the image with apk add --upgrade --no-cache curl instead of apk add --no-cache curl

All 9 comments

Let's wait for alpine linux base image to fix this issue. Both dont seem to be any bad for intented curl usage inside this image.

It seems that is already fixed and waiting for alpine release: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12706

Looks like the Alpine base image has been updated. I think the Nginx image just needs to be rebuilt and published. This would resolve issue #553 as well I believe.

My bad. I guess you're right. I assumed, instead of looking, because Trivy isn't returning these CVE's when I run it against alpine:latest. But they're definitely firing off for nginx:alpine.

Hi @thresheek, alpine 3.14 has been released, could be updated in 1.21 and 1.20 also.
https://www.alpinelinux.org/posts/Alpine-3.14.0-released.html

@thresheek I've created a PR to bump alpine version to 3.14, could you please do a review ?

hi @meldafrawi it doesnt make sense yet as alpine3.14-based images cannot be built for docker library: https://github.com/docker-library/haproxy/issues/163

It seems like the alpine version doesn't even need to be updated. Alpine's version of curl is at 7.77. This could be fixed by building the image with apk add --upgrade --no-cache curl instead of apk add --no-cache curl

Was this page helpful?
0 / 5 - 0 ratings