Trivy security scan detects a CRITICAL vulnerability in latest Docker image.

[tunguyen9889]

Q&A (please complete the following information)

• OS: Docker image
• Version: swaggerapi/swagger-ui:latest, swaggerapi/swagger-ui:v3.51.2, swaggerapi/swagger-ui:v4.0.0-beta.2

Content & configuration

Describe the bug you're encountering

The security vulnerability about nodejs has been reported in:

• https://avd.aquasec.com/nvd/cve-2021-22930/
• https://access.redhat.com/security/cve/CVE-2021-22930

Alpine and nodejs has released a bug fix at 2021-07-29 with version 14.17.4-r0:

• https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.17.4
• https://git.alpinelinux.org/aports/commit/?id=b3808eb39db3ee62c67e75b5df2acfd778ec8d4c

To reproduce...

Steps to reproduce the behavior: Run Trivy scan as below:

➜  ~ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v3.51.2

You will see the result like this:

2021-08-02T07:56:35.496Z        INFO    Need to update DB
2021-08-02T07:56:35.496Z        INFO    Downloading DB...
2.95 MiB / 22.71 MiB [-------->_____________________________________________________] 12.99% ? p/s ?7.59 MiB / 22.71 MiB [-------------------->_________________________________________] 33.40% ? p/s ?11.92 MiB / 22.71 MiB [-------------------------------->____________________________] 52.50% ? p/s ?17.12 MiB / 22.71 MiB [------------------------------------>___________] 75.37% 23.61 MiB p/s ETA 0s22.71 MiB / 22.71 MiB [---------------------------------------------------] 100.00% 30.19 MiB p/s 1s2021-08-02T07:56:42.227Z INFO    Detected OS: alpine
2021-08-02T07:56:42.227Z        INFO    Detecting Alpine vulnerabilities...
2021-08-02T07:56:42.228Z        INFO    Number of language-specific files: 0

swaggerapi/swagger-ui:v3.51.2 (alpine 3.13.5)
=============================================
Total: 6 (HIGH: 5, CRITICAL: 1)

+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl      | CVE-2021-22901   | HIGH     | 7.76.1-r0         | 7.77.0-r0     | curl: Use-after-free in               |
|           |                  |          |                   |               | TLS session handling when             |
|           |                  |          |                   |               | using OpenSSL TLS backend             |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22901 |
+-----------+                  +          +                   +               +                                       +
| libcurl   |                  |          |                   |               |                                       |
|           |                  |          |                   |               |                                       |
|           |                  |          |                   |               |                                       |
|           |                  |          |                   |               |                                       |
+-----------+------------------+          +-------------------+---------------+---------------------------------------+
| libgcrypt | CVE-2021-33560   |          | 1.8.7-r0          | 1.8.8-r0      | libgcrypt: mishandles ElGamal         |
|           |                  |          |                   |               | encryption because it lacks           |
|           |                  |          |                   |               | exponent blinding to address a...     |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+          +-------------------+---------------+---------------------------------------+
| libxml2   | CVE-2021-3517    |          | 2.9.10-r6         | 2.9.10-r7     | libxml2: Heap-based buffer overflow   |
|           |                  |          |                   |               | in xmlEncodeEntitiesInternal()        |
|           |                  |          |                   |               | in entities.c                         |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3517  |
+           +------------------+          +                   +               +---------------------------------------+
|           | CVE-2021-3518    |          |                   |               | libxml2: Use-after-free in            |
|           |                  |          |                   |               | xmlXIncludeDoProcess() in xinclude.c  |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3518  |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| nodejs    | CVE-2021-22930   | CRITICAL | 14.16.1-r1        | 14.17.4-r0    | nodejs: use-after-free on             |
|           |                  |          |                   |               | close http2 on stream canceling       |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22930 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+

Expected behavior

Trivy security scan should not print out any HIGH or CRITICAL vulnerabilities.

[char0n]

Hi @tunguyen9889,

Thanks for reporting this. Can I ask you to follow our security policy guidelines next time you report similar issues? Thanks!

We'll update nginx:1.19-alpine to nginx:1.21.1-alpine which is using alpine:3.14.0, which should contain fix for CVE-2021-22930 introduced 3 days ago.

[tunguyen9889]

Hi @char0n,

Thanks for your quick response! And sorry for missing the guideline for security report. I will take note and follow the process next time.

Anyway, you might need to make sure this step https://github.com/swagger-api/swagger-ui/blob/master/Dockerfile#L7 will install latest nodejs version 14.17.4-r0, which fixed the CVE-2021-22930.

Best,

[char0n]

Anyway, you might need to make sure this step https://github.com/swagger-api/swagger-ui/blob/master/Dockerfile#L7 will install latest nodejs version 14.17.4-r0, which fixed the CVE-2021-22930.

Yep, already tested, and after next release this will be autofixed.

REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
nginx                              1.19-alpine         a64a6e03b055        3 months ago        22.6MB

$ docker container run a64a6e03b055 apk --no-cache add nodejs
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
(1/4) Installing c-ares (1.17.1-r1)
(2/4) Installing libgcc (10.2.1_pre1-r3)
(3/4) Installing libstdc++ (10.2.1_pre1-r3)
(4/4) Installing nodejs (14.17.4-r0)
Executing busybox-1.32.1-r6.trigger
OK: 62 MiB in 46 packages

So we should be fine just by releasing the new versions this week.

[char0n]

Damn,

$ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v3.52.0

Node 14.16.1-r1 still gets installed. --no-cache option has no effect when we build the image

[tunguyen9889]

Yea, we had to force update nodejs in our custom image to avoid it

RUN apk update && apk add --no-cache nodejs=14.17.4-r0

I think we can enforce the version like this https://superuser.com/a/1058665

apk add "nodejs>=14.17.4-r0"

[char0n]

So the Dockerfile commands will be:

RUN apk add "nodejs>=14.17.4-r0"
RUN apk update && apk add --no-cache nodejs=14.17.4-r0

right?

[tunguyen9889]

The Dockerfile command will be:

RUN apk update && apk add --no-cache "nodejs>=14.17.4-r0"

[char0n]

Thanks! Will try this in next release.

[char0n]

Tested on latest v4 release:

$ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v4.0.0-beta.3`

We're looking fine. Next time the v3 gets released this will be fixed. Thanks for collaborating on the fix!

[char0n]

Original error reported in this issue is gone in swagger-ui@4.0.0-rc.0 the same applies for swagger-ui@3.52.1 (that is just being released).

But we have additional HIGH and CRITICAL issues already reported in nodejs=14.17.4-r0.

Unfortunately the command RUN apk update && apk add --no-cache "nodejs>=14.17.4-r0" always installs nodejs=14.17.4-r0. It would be ideal if the command would install always latest available nodejs version from 14.x.y series. Any suggestion?

[tunguyen9889]

We had a hack in our internal image to force upgrade all packages to latest version using this command:

RUN apk -U upgrade --no-cache

[char0n]

Did a following change to our Dockerfile (cd0f56c):

FROM nginx:1.21-alpine

RUN apk update && apk add --no-cache "nodejs>=14.17.6-r0"

Released this change as swaggerapi/swagger-ui:v4.0.0-rc.1

Running

 $ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v4.0.0-rc.1

gives me following output

---

So we're looking fine. I'll do the same changes in v3 release, and we'll be finally able to close this issue.

[char0n]

Results for v3:

$ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v3.52.2

Closing the issue as it has been resolved for now. @tunguyen9889 thanks for collaboration on this!

[char0n]

SwaggerEditor@4.x is now green as well:

$ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-editor:v4.0.0-rc.0

[char0n]

Swagger Editor@3.x is now green as well:

$ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-editor:v3.18.2

[tunguyen9889]

Thanks @char0n for the fixes!