The current utilised version of Alpine 3.12 is vulnerable to CVE-2020-28196
Alpine report here
Utilising Trivy, scan any version of the images using alpine 3.12 as the base layer
docker pull mcr.microsoft.com/dotnet/aspnet:3.1.10-alpine3.12
trivy i mcr.microsoft.com/dotnet/aspnet:3.1.10-alpine3.12
2020-11-27T12:18:34.318Z INFO Detecting Alpine vulnerabilities...
mcr.microsoft.com/dotnet/aspnet:5.0.0-alpine3.12-amd64 (alpine 3.12.1)
======================================================================
Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| krb5-libs | CVE-2020-28196 | HIGH | 1.18.2-r0 | 1.18.3-r0 | krb5: unbounded recursion |
| | | | | | via an ASN.1-encoded |
| | | | | | Kerberos message in |
| | | | | | lib/krb5/asn.1/asn1_encode.c |
| | | | | | may lead... |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| musl | CVE-2020-28928 | UNKNOWN | 1.1.24-r9 | 1.1.24-r10 | In musl libc through 1.2.1, |
| | | | | | wcsnrtombs mishandles |
| | | | | | particular combinations of |
| | | | | | destination buffer... |
+------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
trivy --versionVersion: 0.11.0
Vulnerability DB:
Type: Light
Version: 1
UpdatedAt: 2020-11-27 00:32:09.966028283 +0000 UTC
NextUpdate: 2020-11-27 12:32:09.966027583 +0000 UTC
docker versionIrrelevant
docker infoIrrelevant
I've rebuilt the Alpine images so that they now contain the fixed version of krb5.
> docker run --rm mcr.microsoft.com/dotnet/aspnet:3.1.10-alpine3.12 /bin/sh -c "apk list | grep krb5-libs"
krb5-libs-1.18.3-r0 x86_64 {krb5} (MIT) [installed]
Please pull the tag again to resolve the issue.
This issue is affecting all images, especially the mcr.microsoft.com/dotnet/runtime-deps:3.1 base image
docker run --rm mcr.microsoft.com/dotnet/runtime-deps:3.1 /bin/sh -c "apt list --installed | grep libkrb5-3"
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libkrb5-3/now 1.17-3 amd64 [installed,local]
mcr.microsoft.com/dotnet/runtime-deps:3.1 (debian 10.6)
=======================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)
+------------------+------------------+----------+-------------------+----------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------+----------------+--------------------------------+
| libgssapi-krb5-2 | CVE-2020-28196 | HIGH | 1.17-3 | 1.17-3+deb10u1 | krb5: unbounded recursion |
| | | | | | via an ASN.1-encoded |
| | | | | | Kerberos message in |
| | | | | | lib/krb5/asn.1/asn1_encode.c |
| | | | | | may lead... |
+------------------+ + + + + +
| libk5crypto3 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------------+ + + + + +
| libkrb5-3 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------------+ + + + + +
| libkrb5support0 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------------+------------------+----------+-------------------+----------------+--------------------------------+
Thanks for the info @csMACnz. I've updated all Debian images. Ubuntu images were already rebuilt last Friday and so they already have the latest version. Along with Alpine that I did earlier, that should take care of everything.
Thanks @mthalman , I thought I had pulled latest. Pulled again and a newer version came down, no issues :+1:
What about musl CVE? Will it be also fixed soon? We use alpine image
Can confirm new 3.1.10-alpine3.12 image no longer vulnerable, much appreciated
Most helpful comment
Thanks for the info @csMACnz. I've updated all Debian images. Ubuntu images were already rebuilt last Friday and so they already have the latest version. Along with Alpine that I did earlier, that should take care of everything.