CVE-2018-1000500 on BusyBox 1.31.1 - need new release

[mbwhelan]

Please create a new release/image with BusyBox 1.32.0+ to resolve CVE-2018-1000500

[SuperQ]

The node_exporter does not use wget or the ssl implementation in the busybox included in the default Docker image. The node_exporter also does not exec any external processes.

The only way to exploit this is if you already have a shell in the container.

[discordianfish]

Yeah this shouldn't be a concern for the node-exporter but it could be a concern for other images.
I thought we disabled TLS support in our busybox image but it doesn't look like that's the case.. but we should update either way.

[discordianfish]

Just did some research to follow up on docker-library/busybox#80 I've opened a year ago and it looks this has been fixed in recent busybox versions - but only when linked against openssl.
I still think we shouldn't ship anything that includes a vulnerability like this. Unfortunately that would mean building our own busybox image that either includes openssl or doesn't include https support since upstream doesn't seem to plan to do anything about this.

[roidelapluie]

What is the added value of shipping busybox vs no distro ?

[SuperQ]

We have busybox in our images rather than just FROM scratch to allow attaching a debugging shell.

[roidelapluie]

are we willing to compile busybox ourselves with that ?

[discordianfish]

I think we have the options:

• Compile it ourselves
• Use FROM scratch (at least in k8s, you have ephemeral debug containers these days)
• Use alpine as base image

I think using alpine seems to be the best option, given it's only slightly larger than busybox. It too uses busybox but with working TLS setup:

# wget http://expired.badssl.com
Connecting to expired.badssl.com (104.154.89.105:80)
Connecting to expired.badssl.com (104.154.89.105:443)
ssl_client: expired.badssl.com: certificate verification failed: certificate has expired
wget: error getting response: Connection reset by peer

[SuperQ]

I would prefer we switched to FROM scratch, as we're a widely used package and more overhead multiplies the footprint. But this is a conversation for prometheus-developers, not node_exporter.

[mbwhelan]

For what it is worth: Using Alpine for the base, I've had to release images more frequently take package and OS patches to resolve CVEs.

[SuperQ]

Thanks for the warning. I'm strongly against Alpine as a base for our containers.

[discordianfish]

Another alternative is shipping both regular containers with FROM scratch and busybox based ones with a -debug suffix. But yeah we should discuss on prometheus-developers.

[aquam8]

node-exporter being a daemonset is a very visible pod in a cluster and cannot go unnoticed as far as vulnerabilities and compliancy are concerned.

Thank you very much for your assistance

[SuperQ]

node-exporter 1.1.1 includes the latest busybox.

[aquam8]

Awesome I’ll deploy the new app image thank you!

…

On Mon, 1 Mar 2021 at 6:21 pm, Ben Kochie ***@***.***> wrote: Closed #1937 <#1937>. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1937 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABMMZ7EIP2G7VL2V2OONA3TBM565ANCNFSM4WOYYD7Q> .