vulnerability in devopsfaith/krakend:1.4.1
175 views
Skip to first unread message
Avinash Gupta
Nov 24, 2021, 6:22:19 AM11/24/21
to KrakenD Community
Hello All,
CVE-2021-33574
glibc:2.28-10
HIGH
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2019-25013
glibc:2.28-10
HIGH
The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2021-3520
lz4:1.8.3-1
HIGH
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
I am using devopsfaith/krakend:1.4.1 images in AWS and i am getting below high vulnerability in AWS ECR. Can you please suggest if you have any images which fixed this vulnerability or any way to fix it.
CVE-2021-33574
glibc:2.28-10
HIGH
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2019-25013
glibc:2.28-10
HIGH
The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2021-3520
lz4:1.8.3-1
HIGH
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
Albert Lombarte
Nov 24, 2021, 6:35:22 AM11/24/21
to KrakenD Community, avsh...@gmail.com
Hi Avinash,
The Docker container of the community version is dragging the vulnerabilities from its base image, which is Debian, and this is out of our control. We are aware of this situation, and although these vulnerabilities do not affect the krakend binary, the next version won't use Debian anymore and all the reported vulnerabilities will go away. It's very annonying.
In the meantime, if you don't want to wait a couple of months for the release, you can create your own Dockerfile extending from Alpine (it's tested and works well). You only need to clone the krakend-ce project and replace the Dockerfile with the following content:
RUN apk add make gcc musl-dev
COPY . /app
WORKDIR /app
RUN make build
FROM alpine:3.13
LABEL maintainer="dor...@devops.faith"
RUN apk add ca-certificates && \
adduser -u 1000 -S -D -H krakend && \
mkdir /etc/krakend && \
echo '{ "version": 2 }' > /etc/krakend/krakend.json
COPY --from=builder /app/krakend /usr/bin/krakend
USER krakend
VOLUME [ "/etc/krakend" ]
WORKDIR /etc/krakend
ENTRYPOINT [ "/usr/bin/krakend" ]
CMD [ "run", "-c", "/etc/krakend/krakend.json" ]
EXPOSE 8000 8090
El dia dimecres, 24 de novembre de 2021 a les 12:22:19 UTC+1, avsh...@gmail.com va escriure:
Daniel Ortiz
Nov 24, 2021, 6:40:58 AM11/24/21
to KrakenD Community
Notice that this new Dockerfile already builds KrakenD, so you just need to do a "docker build", no other commands are required.
El miércoles, 24 de noviembre de 2021 a las 12:35:22 UTC+1, Albert Lombarte escribió:
Hi Avinash,The Docker container of the community version is dragging the vulnerabilities from its base image, which is Debian, and this is out of our control. We are aware of this situation, and although these vulnerabilities do not affect the krakend binary, the next version won't use Debian anymore and all the reported vulnerabilities will go away. It's very annonying.In the meantime, if you don't want to wait a couple of months for the release, you can create your own Dockerfile extending from Alpine (it's tested and works well). You only need to clone the krakend-ce project and replace the Dockerfile with the following content:
FROM golang:1.16.4-alpine3.13 as builder
RUN apk add make gcc musl-dev
COPY . /app
WORKDIR /app
RUN make build
FROM alpine:3.13
LABEL maintainer="dortiz@devops.faith"
Avinash Gupta
Nov 24, 2021, 7:25:03 AM11/24/21
to Daniel Ortiz, KrakenD Community
you mean the docker file from krakend-ce repo or the one which is share by albert.
well build is failing while running docker file content shared by albert.
[ipacs@telkom krakend-ce]$ docker build -t krakend:test1 .
Sending build context to Docker daemon 1.579 MB
Step 1/14 : FROM golang:1.16.4-alpine3.13 as builder
Error parsing reference: "golang:1.16.4-alpine3.13 as builder" is not a valid repository/tag: invalid reference format
Sending build context to Docker daemon 1.579 MB
Step 1/14 : FROM golang:1.16.4-alpine3.13 as builder
Error parsing reference: "golang:1.16.4-alpine3.13 as builder" is not a valid repository/tag: invalid reference format
On Wed, Nov 24, 2021 at 5:10 PM Daniel Ortiz <dor...@krakend.io> wrote:
Notice that this new Dockerfile already builds KrakenD, so you just need to do a "docker build", no other commands are required.
El miércoles, 24 de noviembre de 2021 a las 12:35:22 UTC+1, Albert Lombarte escribió:
Hi Avinash,The Docker container of the community version is dragging the vulnerabilities from its base image, which is Debian, and this is out of our control. We are aware of this situation, and although these vulnerabilities do not affect the krakend binary, the next version won't use Debian anymore and all the reported vulnerabilities will go away. It's very annonying.In the meantime, if you don't want to wait a couple of months for the release, you can create your own Dockerfile extending from Alpine (it's tested and works well). You only need to clone the krakend-ce project and replace the Dockerfile with the following content:
FROM golang:1.16.4-alpine3.13 as builder
RUN apk add make gcc musl-dev
COPY . /app
WORKDIR /app
RUN make build
FROM alpine:3.13
LABEL maintainer="dor...@devops.faith"
--
You received this message because you are subscribed to a topic in the Google Groups "KrakenD Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/krakend.io/d/topic/community/tMWHO64FuiI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to community+...@krakend.io.
To view this discussion on the web visit https://groups.google.com/a/krakend.io/d/msgid/community/4cc26359-d711-4d63-9114-bebc47018649n%40krakend.io.
Avinash Gupta
Nov 24, 2021, 7:29:27 AM11/24/21
to Daniel Ortiz, KrakenD Community
hi,
Just to inform you, i am using version
ipacs@telkom krakend-ce]$ docker --version
Docker version 1.13.1, build 7d71120/1.13.1
Docker version 1.13.1, build 7d71120/1.13.1
Daniel Ortiz
Nov 24, 2021, 7:32:24 AM11/24/21
to KrakenD Community
You are using a docker version from 2017, you should update it to make it work.
El miércoles, 24 de noviembre de 2021 a las 13:29:27 UTC+1, avsh...@gmail.com escribió:
hi,Just to inform you, i am using versionipacs@telkom krakend-ce]$ docker --version
Docker version 1.13.1, build 7d71120/1.13.1
On Wed, Nov 24, 2021 at 5:54 PM Avinash Gupta <avsh...@gmail.com> wrote:
you mean the docker file from krakend-ce repo or the one which is share by albert.well build is failing while running docker file content shared by albert.[ipacs@telkom krakend-ce]$ docker build -t krakend:test1 .
Sending build context to Docker daemon 1.579 MB
Step 1/14 : FROM golang:1.16.4-alpine3.13 as builder
Error parsing reference: "golang:1.16.4-alpine3.13 as builder" is not a valid repository/tag: invalid reference format
On Wed, Nov 24, 2021 at 5:10 PM Daniel Ortiz <dor...@krakend.io> wrote:
Notice that this new Dockerfile already builds KrakenD, so you just need to do a "docker build", no other commands are required.
El miércoles, 24 de noviembre de 2021 a las 12:35:22 UTC+1, Albert Lombarte escribió:
Hi Avinash,The Docker container of the community version is dragging the vulnerabilities from its base image, which is Debian, and this is out of our control. We are aware of this situation, and although these vulnerabilities do not affect the krakend binary, the next version won't use Debian anymore and all the reported vulnerabilities will go away. It's very annonying.In the meantime, if you don't want to wait a couple of months for the release, you can create your own Dockerfile extending from Alpine (it's tested and works well). You only need to clone the krakend-ce project and replace the Dockerfile with the following content:
FROM golang:1.16.4-alpine3.13 as builder
RUN apk add make gcc musl-dev
COPY . /app
WORKDIR /app
RUN make build
FROM alpine:3.13
LABEL maintainer="dortiz@devops.faith"
To unsubscribe from this group and all its topics, send an email to community+unsubscribe@krakend.io.
Reply all
Reply to author
Forward
0 new messages