Dotnet-docker: Alpine 3.12 base image vulnerable to CVE-2020-28196

Created on 27 Nov 2020  路  6Comments  路  Source: dotnet/dotnet-docker

Describe the Bug

The current utilised version of Alpine 3.12 is vulnerable to CVE-2020-28196

Alpine report here

Steps to Reproduce

Utilising Trivy, scan any version of the images using alpine 3.12 as the base layer

docker pull mcr.microsoft.com/dotnet/aspnet:3.1.10-alpine3.12
trivy i mcr.microsoft.com/dotnet/aspnet:3.1.10-alpine3.12

Output of trivy scan

2020-11-27T12:18:34.318Z    INFO    Detecting Alpine vulnerabilities...

mcr.microsoft.com/dotnet/aspnet:5.0.0-alpine3.12-amd64 (alpine 3.12.1)
======================================================================
Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| krb5-libs  | CVE-2020-28196   | HIGH     | 1.18.2-r0         | 1.18.3-r0     | krb5: unbounded recursion      |
|            |                  |          |                   |               | via an ASN.1-encoded           |
|            |                  |          |                   |               | Kerberos message in            |
|            |                  |          |                   |               | lib/krb5/asn.1/asn1_encode.c   |
|            |                  |          |                   |               | may lead...                    |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| musl       | CVE-2020-28928   | UNKNOWN  | 1.1.24-r9         | 1.1.24-r10    | In musl libc through 1.2.1,    |
|            |                  |          |                   |               | wcsnrtombs mishandles          |
|            |                  |          |                   |               | particular combinations of     |
|            |                  |          |                   |               | destination buffer...          |
+------------+                  +          +                   +               +                                +
| musl-utils |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
+------------+------------------+----------+-------------------+---------------+--------------------------------+

Output of trivy --version

Version: 0.11.0
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2020-11-27 00:32:09.966028283 +0000 UTC
  NextUpdate: 2020-11-27 12:32:09.966027583 +0000 UTC

Output of docker version

Irrelevant

Output of docker info

Irrelevant

area-dockerfiles bug untriaged

Most helpful comment

Thanks for the info @csMACnz. I've updated all Debian images. Ubuntu images were already rebuilt last Friday and so they already have the latest version. Along with Alpine that I did earlier, that should take care of everything.

All 6 comments

I've rebuilt the Alpine images so that they now contain the fixed version of krb5.

> docker run --rm mcr.microsoft.com/dotnet/aspnet:3.1.10-alpine3.12 /bin/sh -c "apk list | grep krb5-libs"
krb5-libs-1.18.3-r0 x86_64 {krb5} (MIT) [installed]

Please pull the tag again to resolve the issue.

This issue is affecting all images, especially the mcr.microsoft.com/dotnet/runtime-deps:3.1 base image

docker run --rm mcr.microsoft.com/dotnet/runtime-deps:3.1 /bin/sh -c "apt list --installed | grep libkrb5-3"
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libkrb5-3/now 1.17-3 amd64 [installed,local]

mcr.microsoft.com/dotnet/runtime-deps:3.1 (debian 10.6)
=======================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

+------------------+------------------+----------+-------------------+----------------+--------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |             TITLE              |
+------------------+------------------+----------+-------------------+----------------+--------------------------------+
| libgssapi-krb5-2 | CVE-2020-28196   | HIGH     | 1.17-3            | 1.17-3+deb10u1 | krb5: unbounded recursion      |
|                  |                  |          |                   |                | via an ASN.1-encoded           |
|                  |                  |          |                   |                | Kerberos message in            |
|                  |                  |          |                   |                | lib/krb5/asn.1/asn1_encode.c   |
|                  |                  |          |                   |                | may lead...                    |
+------------------+                  +          +                   +                +                                +
| libk5crypto3     |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
+------------------+                  +          +                   +                +                                +
| libkrb5-3        |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
+------------------+                  +          +                   +                +                                +
| libkrb5support0  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
|                  |                  |          |                   |                |                                |
+------------------+------------------+----------+-------------------+----------------+--------------------------------+

Thanks for the info @csMACnz. I've updated all Debian images. Ubuntu images were already rebuilt last Friday and so they already have the latest version. Along with Alpine that I did earlier, that should take care of everything.

Thanks @mthalman , I thought I had pulled latest. Pulled again and a newer version came down, no issues :+1:

What about musl CVE? Will it be also fixed soon? We use alpine image

Can confirm new 3.1.10-alpine3.12 image no longer vulnerable, much appreciated

Was this page helpful?
0 / 5 - 0 ratings

Related issues

williamdenton picture williamdenton  路  6Comments

tonysedniov picture tonysedniov  路  6Comments

galvesribeiro picture galvesribeiro  路  7Comments

twhittakeriq picture twhittakeriq  路  5Comments

TheYorkshireDev picture TheYorkshireDev  路  5Comments