Velero image vulnerability fix

[dbebarta]

The new image of velero has high vulnerabilties of openssl

> grype velero/velero:v1.15.0
 ✔ Loaded image                                                                                     velero/velero:v1.15.0
 ✔ Parsed image                                   sha256:d870f15a96b08d2fd4f46cfd9359824c3d8243c3367ed324fe9ba4fefe988f69
 ✔ Cataloged contents                                    fdef0320f82970b473d02a5313a558eb8b11b32329eba6b2afde0d8cefa94044
   ├── ✔ Packages                        [220 packages]  
   ├── ✔ File digests                    [19 files]  
   ├── ✔ File metadata                   [19 locations]  
   └── ✔ Executables                     [286 executables]  
 ✔ Scanned for vulnerabilities     [43 vulnerability matches]  
   ├── by severity: 3 critical, 16 high, 18 medium, 4 low, 1 negligible (1 unknown)
   └── by status:   38 fixed, 5 not-fixed, 0 ignored 
NAME     INSTALLED          FIXED-IN                                       TYPE    VULNERABILITY   SEVERITY   
libc6    2.35-0ubuntu3.8                                                   deb     CVE-2016-20013  Negligible  
libssl3  3.0.2-0ubuntu1.18                                                 deb     CVE-2024-9143   Low         
libssl3  3.0.2-0ubuntu1.18                                                 deb     CVE-2024-41996  Low         
openssl  3.0.2              1.0.2zk, 1.1.1za, 3.0.15, 3.1.7, 3.2.3, 3.3.2  binary  CVE-2024-5535   Critical    
openssl  3.0.2              1.0.2zf, 1.1.1p, 3.0.4                         binary  CVE-2022-2068   Critical    
openssl  3.0.2              1.0.2ze, 1.1.1o, 3.0.3                         binary  CVE-2022-1292   Critical    
openssl  3.0.2              3.0.15, 3.1.7, 3.2.3, 3.3.2                    binary  CVE-2024-6119   High        
openssl  3.0.2              1.1.1y, 3.0.14, 3.1.6, 3.2.2, 3.3.1            binary  CVE-2024-4741   High        
openssl  3.0.2              3.0.12, 3.1.4                                  binary  CVE-2023-5363   High        
openssl  3.0.2              1.1.1w, 3.0.11, 3.1.3                          binary  CVE-2023-4807   High        
openssl  3.0.2              1.0.2zh, 1.1.1u, 3.0.9, 3.1.1                  binary  CVE-2023-0464   High        
openssl  3.0.2              3.0.8                                          binary  CVE-2023-0401   High        
openssl  3.0.2              1.0.2zg, 1.1.1t, 3.0.8                         binary  CVE-2023-0286   High        
openssl  3.0.2              3.0.8                                          binary  CVE-2023-0217   High        
openssl  3.0.2              3.0.8                                          binary  CVE-2023-0216   High        
openssl  3.0.2              1.0.2zg, 1.1.1t, 3.0.8                         binary  CVE-2023-0215   High        
openssl  3.0.2              1.1.1t, 3.0.8                                  binary  CVE-2022-4450   High        
openssl  3.0.2              3.0.8                                          binary  CVE-2022-3996   High        
openssl  3.0.2              3.0.7                                          binary  CVE-2022-3786   High        
openssl  3.0.2              3.0.7                                          binary  CVE-2022-3602   High        
openssl  3.0.2              3.0.6                                          binary  CVE-2022-3358   High        
openssl  3.0.2              3.0.3                                          binary  CVE-2022-1473   High        
openssl  3.0.2              1.0.2zl, 1.1.1zb, 3.0.16, 3.1.8, 3.2.4, 3.3.3  binary  CVE-2024-9143   Medium      
openssl  3.0.2              3.0.14, 3.1.6, 3.2.2, 3.3.1                    binary  CVE-2024-4603   Medium      
openssl  3.0.2              1.0.2zj, 1.1.1x, 3.0.13, 3.1.5                 binary  CVE-2024-0727   Medium      
openssl  3.0.2              3.0.13, 3.1.5, 3.2.1                           binary  CVE-2023-6237   Medium      
openssl  3.0.2              3.0.13, 3.1.5, 3.2.1                           binary  CVE-2023-6129   Medium      
openssl  3.0.2              1.0.2zj, 1.1.1x, 3.0.13, 3.1.5                 binary  CVE-2023-5678   Medium      
openssl  3.0.2              3.0.10, 3.1.2                                  binary  CVE-2023-3817   Medium      
openssl  3.0.2              1.0.2zi, 1.1.1v, 3.0.10, 3.1.2                 binary  CVE-2023-3446   Medium      
openssl  3.0.2              3.0.10, 3.1.2                                  binary  CVE-2023-2975   Medium      
openssl  3.0.2              1.0.2zh, 1.1.1u, 3.0.9, 3.1.1                  binary  CVE-2023-2650   Medium      
openssl  3.0.2              3.0.9, 3.1.1                                   binary  CVE-2023-1255   Medium      
openssl  3.0.2              1.0.2zh, 1.1.1u, 3.0.9, 3.1.1                  binary  CVE-2023-0466   Medium      
openssl  3.0.2              1.0.2zh, 1.1.1u, 3.0.9, 3.1.1                  binary  CVE-2023-0465   Medium      
openssl  3.0.2              1.0.2zg, 1.1.1t, 3.0.8                         binary  CVE-2022-4304   Medium      
openssl  3.0.2              3.0.8                                          binary  CVE-2022-4203   Medium      
openssl  3.0.2              1.1.1q, 3.0.5                                  binary  CVE-2022-2097   Medium      
openssl  3.0.2              3.0.3                                          binary  CVE-2022-1434   Medium      
openssl  3.0.2              3.0.3                                          binary  CVE-2022-1343   Medium      
openssl  3.0.2              1.1.1y, 3.0.14, 3.1.6, 3.2.2                   binary  CVE-2024-2511   Unknown     
openssl  3.0.2-0ubuntu1.18                                                 deb     CVE-2024-9143   Low         
openssl  3.0.2-0ubuntu1.18                                                 deb     CVE-2024-41996  Low

Can we try to fix them and generate a new image?

[kaovilai]

Unless we switch to a different run image, no. And in fact, these are false postives.

openssl 3.0.2 1.0.2zk, 1.1.1za, 3.0.15, 3.1.7, 3.2.3, 3.3.2 binary CVE-2024-5535 Critical

Fixed 3.0.2-0ubuntu1.17, this image uses 3.0.2-0ubuntu1.18

openssl 3.0.2 1.0.2zf, 1.1.1p, 3.0.4 binary CVE-2022-2068 Critical

Fixed 3.0.2-0ubuntu1.5 this image uses 3.0.2-0ubuntu1.18

openssl 3.0.2 1.0.2ze, 1.1.1o, 3.0.3 binary CVE-2022-1292 Critical

Fixed 3.0.2-0ubuntu1.1, this image uses 3.0.2-0ubuntu1.18

The latest jammy:v0.2.55 also contain similar false positives.

[kaovilai]

bumping to latest jammy:v0.2.55 also would not increase openssl version beyond current image..

[blackpiglet]

We used the trivy and BlackDuck to scan the images, and no such high and critical CVEs were found.
I think the reason is grype didn't recognize the correct OpenSSL version involved in the Ubuntu Jammy image.
From the v0.2.52's build recipe file, the included OpenSSL version is 3.0.2-0ubuntu1.18, not 3.0.2.

https://github.com/paketo-buildpacks/jammy-tiny-stack/releases/download/v0.2.52/jammy-tiny-stack-0.2.52-amd64-build-receipt.cyclonedx.json

"bom-ref": "pkg:deb/ubuntu/[email protected]?arch=amd64&upstream=openssl&distro=ubuntu-22.04&package-id=5f2fab720655414a",
      "type": "library",
      "publisher": "Ubuntu Developers <[email protected]>",
      "name": "libssl-dev",
      "version": "3.0.2-0ubuntu1.18",
      "licenses": [
        { "license": { "id": "Apache-2.0" } },
        { "license": { "id": "GPL-1.0-only" } },
        { "license": { "id": "GPL-1.0-or-later" } },
        { "license": { "name": "Artistic" } }
      ],
      "cpe": "cpe:2.3:a:libssl-dev:libssl-dev:3.0.2-0ubuntu1.18:*:*:*:*:*:*:*",
      "purl": "pkg:deb/ubuntu/[email protected]?arch=amd64&upstream=openssl&distro=ubuntu-22.04",

[kaovilai]

grype correctly detected 3.0.2-0ubuntu1.18 as shown in user output above.
It did however also detected the binary and thought it's the unpatched 3.0.2

[kaovilai]

I think there are enhancements to be done for jammy to eliminate this false positive.

[dbebarta]

@kaovilai after the enhancements from jammy, velero will also need to be updated with jammy's new image ?

[kaovilai]

Yes but I'm not sure if they'll ever do it cause it'll increase image size and only accommodates one scanner that you used. Other scanners were said to be smarter and do not have this issue.

[kaovilai]

@dbebarta in the meantime, try use snyk instead. It does not contain false positives like grype.

❯ snyk container test velero/velero:v1.15.0 

Testing velero/velero:v1.15.0...

✗ Low severity vulnerability found in openssl/libssl3
  Description: CVE-2024-41996
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-7838287
  Introduced through: openssl/[email protected], ca-certificates@20240203~22.04.1, [email protected]
  From: openssl/[email protected]
  From: ca-certificates@20240203~22.04.1 > [email protected] > openssl/[email protected]
  From: [email protected]
  and 1 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2204-GLIBC-2801292
  Introduced through: glibc/[email protected], [email protected], zlib/zlib1g@1:1.2.11.dfsg-2ubuntu9.2, ca-certificates@20240203~22.04.1
  From: glibc/[email protected]
  From: [email protected] > glibc/[email protected]
  From: zlib/zlib1g@1:1.2.11.dfsg-2ubuntu9.2 > glibc/[email protected]
  and 2 more...



Organization:      kaovilai
Package manager:   deb
Project name:      docker-image|velero/velero
Docker image:      velero/velero:v1.15.0
Platform:          linux/arm64
Licenses:          enabled

Tested 8 dependencies for known issues, found 2 issues.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test velero/velero:v1.15.0 --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

-------------------------------------------------------

Testing velero/velero:v1.15.0...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /usr/bin/restic
Project name:      github.com/restic/restic
Docker image:      velero/velero:v1.15.0
Licenses:          enabled

✔ Tested 261 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing velero/velero:v1.15.0...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /velero
Project name:      github.com/vmware-tanzu/velero
Docker image:      velero/velero:v1.15.0
Licenses:          enabled

✔ Tested 876 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing velero/velero:v1.15.0...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /velero-helper
Project name:      github.com/vmware-tanzu/velero
Docker image:      velero/velero:v1.15.0
Licenses:          enabled

✔ Tested velero/velero:v1.15.0 for known issues, no vulnerable paths found.


Tested 4 projects, 1 contained vulnerable paths.

Please also track grype fix at anchore/grype#520