Skip to content

Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan #13291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alexander-dammeier opened this issue May 16, 2024 · 5 comments · Fixed by #13299
Closed

Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan #13291

alexander-dammeier opened this issue May 16, 2024 · 5 comments · Fixed by #13299
Assignees
@coadler
Labels
security Area: security

Comments

@alexander-dammeier
Copy link

alexander-dammeier commented May 16, 2024
edited
Loading

Hello!

We test coder for a high security environment but we are not allowed to use your images as they contain critical CVEs (see trivy scans below). Unfortunately this CVEs are also in your latest images of the stable (2.10.2) and mainline (2.11.0) release trains.

(scans are filtered by High and critical CVEs)

ghcr.io/coder/coder:v2.10.2 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘


ghcr.io/coder/coder:v2.11.0 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
@coder-labeler coder-labeler bot added the security Area: security label May 16, 2024
@MrPeacockNLB
Copy link
Contributor

MrPeacockNLB commented May 16, 2024
edited
Loading

This is a good time to ask for images from scratch for enterprise users. CVE-2024-3817 is introduced via installing terraform with apk (/usr/local/bin/terraform) and the other one is CVE-2024-32002 also with apk installing git client. Is there a reason why the images are alpine based?

For security reason it would be nice if we can get rid of wget and curl in the images too. It enables attackers to download other stuff.

Maybe there should be to different images. One for Coder Server and one for ProvisionerD (inclunding needed terraform) binary.

@alexander-dammeier
Copy link
Author

alexander-dammeier commented May 16, 2024
edited
Loading

In the meantime I tried to update terraform and git myself.
Git was no problem via apk.

Terraform seems to be no longer available in apk (but opentofu is), so I just replaced the binary with a newer version from github. Unfortunately there is no newer terraform version which is officially supported by coder.
Even worse is that terraform 1.7.5 also has this critical CVE. Terraform 1.8.3 is fine but to jump up two minor versions seems a little bit risky to me.

I hope there will be a fixed version of terraform 1.6 and 1.7 soon.

@coadler coadler self-assigned this May 16, 2024
@coadler coadler mentioned this issue May 16, 2024
Merged
@coadler
Copy link
Contributor

coadler commented May 16, 2024

@MrPeacockNLB

This is a good time to ask for images from scratch for enterprise users. CVE-2024-3817 is introduced via installing terraform with apk (/usr/local/bin/terraform)

Terraform was removed from Alpine, so we manage that ourselves now. There was ambiguity for a while as to whether or not we were allowed to upgrade to versions released under BSL, but we're now working our way towards the latest Terraform release. I think we'll be caught up to 1.8.x by Coder 2.12.

the other one is CVE-2024-32002 also with apk installing git client. Is there a reason why the images are alpine based?

Alpine doesn't really have much to do with this. The Git CVEs were only announced two days ago and patches are available in Alpine as of yesterday. Our last release was last week, hence why it wasn't included.

I'll have a patch out later today addressing the Git RCEs. Thanks @alexander-dammeier for bringing this to our attention.

@MrPeacockNLB
Copy link
Contributor

@coadler using a distro (even if it is only the small alpine) raises the attacksurface. Just from security point of view it would be the best practicse to use from scratch for the image.

Thanks for fixing issues!

@coadler
Copy link
Contributor

coadler commented May 16, 2024

https://github.com/coder/coder/releases/tag/v2.11.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@coadler coadler

Labels
security Area: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update git -> 2.43.4 and terraform -> 1.7.5 coder/coder
3 participants
@coadler @alexander-dammeier @MrPeacockNLB