Multiple vulnerabilties in glibc Docker containers

[phlax]

There are 3 recent CVEs that appear to affect the glibc version in our Docker containers

• https://nvd.nist.gov/vuln/detail/CVE-2023-4527
• https://nvd.nist.gov/vuln/detail/CVE-2023-4813
• https://nvd.nist.gov/vuln/detail/CVE-2023-4806

I confirmed that our current distroless containers are vulnerable - its likely the case also with the Ubuntu containers (will confirm)

debian/ubuntu refs:

• https://security-tracker.debian.org/tracker/CVE-2023-4527
• https://security-tracker.debian.org/tracker/CVE-2023-4813
• https://security-tracker.debian.org/tracker/CVE-2023-4806
• https://ubuntu.com/security/CVE-2023-4813
• https://ubuntu.com/security/CVE-2023-4527
• https://ubuntu.com/security/CVE-2023-4806

4527 appears to be medium severity and is yet to be confirmed

4813 has fixes for distroless at least - which is already on main - i have raised/updated backports for other branches

if the fix is there for ubuntu that will automatically get updated on next release/s

[phlax]

cc @javabypatel

[phlax]

noting https://nvd.nist.gov/vuln/detail/CVE-2023-0687

[suniltheta]

Update: Seems unrelated, created a new issue #29902

---

I see a NACK thrown in Envoy version v1.27 (very rarely).

failureReason:Error adding/updating listener(s) egress: malformed IP address: 2600:f0f0:0:0:0:0:0:1

As per NACK Envoy couldn't validate that this is a proper IPv6 address which was provided in filter chain match like

         "filter_chain_match": {
          "prefix_ranges": [
           {
            "address_prefix": "127.255.0.1",
            "prefix_len": 32
           },
           {
            "address_prefix": "2600:f0f0:0:0:0:0:0:1",
            "prefix_len": 128
           }
          ],

I believe the IPv6 address validation is done in

envoy/source/common/network/utility.cc

Line 117 in 83e604a

const Api::SysCallIntResult rc = Api::OsSysCallsSingleton::get().getaddrinfo(

---

Given that the CVE's report issue with getaddrinfo function, can I expect that this issue might be related?

[phlax]

incoming issue here GoogleContainerTools/distroless#1420 which is resolved by GoogleContainerTools/distroless#1419

will update the containers when they release (i would expect today)

[phlax]

i have updated the distroless base to latest and have pending backports for it - but just saw ...

GoogleContainerTools/distroless#1422

[loosebazooka]

I think this is actually fine. The latest distroless/base should not have the high critical cve on libc6.

FYI though, we have distroless/base-nossl-debian12 now which I would recommend over debian11 if that works with your builds.

[moderation]

FYI though, we have distroless/base-nossl-debian12 now which I would recommend over debian11 if that works with your builds.

It would be good to bump to this newer Debian 12 version 👍

[phlax]

It would be good to bump to this newer Debian 12 version 👍

my thought had been to wait until this batch of releases is out of the way, altho tbh i dont see any reason we cant upgrade now

[phlax]

PR is here #30029

[marcosrmendezthd]

looks like we've released new versions. wonder why the CVEs were not mentioned in the release notes.

[phlax]

they were alluded to - as these were upstream vulns i thought it less important to list out any issues that were resolved

docker/publishing: Update base images to resolve various glibc vulnerabilities.

https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.27/v1.27.1

and on the release pages

altho just spotted this is missing from the (pending) current changelog

[phlax]

main changelog update is here #30144

[marcosrmendezthd]

ah we're still on 1.26. didn't see it on https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.26/v1.26.5. thanks @phlax

[phlax]

i think it got missed on that branch - trying to improve these workflows atm

[phlax]

(just to clarify - just the changelog was missed)

[phlax]

@javabypatel you can see the current versions that are being used by checking the pins in the Dockerfilie - eg on main

https://github.com/envoyproxy/envoy/blob/main/ci/Dockerfile-envoy

i try to keep these in sync across all branches

in terms of outstanding CVEs these are generally the latest available upstream so incorporate anything currently actionable

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.