CVE-2024-6119 is fixed upstream but -chiseled images have not been updated

[skolima]

Describe the Bug

CVE-2024-6119 is fixed upstream but -chiseled images have not been updated. dotnet-sdk images (non-chiseled) have been recreated after upstream released a fix and are no longer affected. Ubuntu CVE information: https://ubuntu.com/security/CVE-2024-6119

Steps to Reproduce

Trivy/Aquascanner output

Vulnerability CVE-2024-6119

Severity: MEDIUM

Package: openssl

Fixed Version: 3.0.13-0ubuntu3.4

Link: [CVE-2024-6119](https://avd.aquasec.com/nvd/cve-2024-6119)

Issue summary: Applications performing certificate name checks (e.g., TLS

clients checking server certificates) may attempt to read an invalid memory

address resulting in abnormal termination of the application process.

 

Impact summary: Abnormal termination of an application can a cause a denial of

service.

 

Applications performing certificate name checks (e.g., TLS clients checking

server certificates) may attempt to read an invalid memory address when

comparing the expected name with an `otherName` subject alternative name of an

X.509 certificate. This may result in an exception that terminates the

application program.

 

Note that basic certificate chain validation (signatures, dates, ...) is not

affected, the denial of service can occur only when the application also

specifies an expected DNS name, Email address or IP address.

 

TLS servers rarely solicit client certificates, and even when they do, they

generally don't perform a name check against a reference identifier (expected

identity), but rather extract the presented identity after checking the

certificate chain.  So TLS servers are generally not affected and the severity

of the issue is Moderate.

 

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",

                "markdown": "**Vulnerability CVE-2024-6119**

| Severity | Package | Fixed Version | Link |

| --- | --- | --- | --- |

|MEDIUM|openssl|3.0.13-0ubuntu3.4|[CVE-2024-6119]([https://avd.aquasec.com/nvd/cve-2024-6119)|](https://avd.aquasec.com/nvd/cve-2024-6119)%7C)

 

Issue summary: Applications performing certificate name checks (e.g., TLS

clients checking server certificates) may attempt to read an invalid memory

address resulting in abnormal termination of the application process.

 

Impact summary: Abnormal termination of an application can a cause a denial of

service.

 

Applications performing certificate name checks (e.g., TLS clients checking

server certificates) may attempt to read an invalid memory address when

comparing the expected name with an `otherName` subject alternative name of an

X.509 certificate. This may result in an exception that terminates the

application program.

 

Note that basic certificate chain validation (signatures, dates, ...) is not

affected, the denial of service can occur only when the application also

specifies an expected DNS name, Email address or IP address.

 

TLS servers rarely solicit client certificates, and even when they do, they

generally don't perform a name check against a reference identifier (expected

identity), but rather extract the presented identity after checking the

certificate chain.  So TLS servers are generally not affected and the severity

of the issue is Moderate.

 

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

,

Other Information

Output of docker version

docker version

Client:

Version:           27.2.0

API version:       1.47

Go version:        go1.21.13

Git commit:        3ab4256

Built:             Tue Aug 27 14:17:17 2024

OS/Arch:           windows/amd64

Context:           desktop-linux

 

Server: Docker Desktop 4.34.1 (166053)

Engine:

  Version:          27.2.0

  API version:      1.47 (minimum version 1.24)

  Go version:       go1.21.13

  Git commit:       3ab5c7d

  Built:            Tue Aug 27 14:15:15 2024

  OS/Arch:          linux/amd64

  Experimental:     false

containerd:

  Version:          1.7.20

  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353

runc:

  Version:          1.1.13

  GitCommit:        v1.1.13-0-g58aa920

docker-init:

  Version:          0.19.0

  GitCommit:        de40ad0

Output of docker info

docker info

Client:

Version:    27.2.0

Context:    desktop-linux

Debug Mode: false

Plugins:

  buildx: Docker Buildx (Docker Inc.)

    Version:  v0.16.2-desktop.1

    Path:     C:\Program Files\Docker\cli-plugins\docker-buildx.exe

  compose: Docker Compose (Docker Inc.)

    Version:  v2.29.2-desktop.2

    Path:     C:\Program Files\Docker\cli-plugins\docker-compose.exe

  debug: Get a shell into any image or container (Docker Inc.)

    Version:  0.0.34

    Path:     C:\Program Files\Docker\cli-plugins\docker-debug.exe

  desktop: Docker Desktop commands (Alpha) (Docker Inc.)

    Version:  v0.0.15

    Path:     C:\Program Files\Docker\cli-plugins\docker-desktop.exe

  dev: Docker Dev Environments (Docker Inc.)

    Version:  v0.1.2

    Path:     C:\Program Files\Docker\cli-plugins\docker-dev.exe

  extension: Manages Docker extensions (Docker Inc.)

    Version:  v0.2.25

    Path:     C:\Program Files\Docker\cli-plugins\docker-extension.exe

  feedback: Provide feedback, right in your terminal! (Docker Inc.)

    Version:  v1.0.5

    Path:     C:\Program Files\Docker\cli-plugins\docker-feedback.exe

  init: Creates Docker-related starter files for your project (Docker Inc.)

    Version:  v1.3.0

    Path:     C:\Program Files\Docker\cli-plugins\docker-init.exe

  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)

    Version:  0.6.0

    Path:     C:\Program Files\Docker\cli-plugins\docker-sbom.exe

  scout: Docker Scout (Docker Inc.)

    Version:  v1.13.0

    Path:     C:\Program Files\Docker\cli-plugins\docker-scout.exe

 

Server:

Containers: 1

  Running: 0

  Paused: 0

  Stopped: 1

Images: 7

Server Version: 27.2.0

Storage Driver: overlay2

  Backing Filesystem: extfs

  Supports d_type: true

  Using metacopy: false

  Native Overlay Diff: true

  userxattr: false

Logging Driver: json-file

Cgroup Driver: cgroupfs

Cgroup Version: 2

Plugins:

  Volume: local

  Network: bridge host ipvlan macvlan null overlay

  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog

Swarm: inactive

Runtimes: io.containerd.runc.v2 nvidia runc

Default Runtime: runc

Init Binary: docker-init

containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353

runc version: v1.1.13-0-g58aa920

init version: de40ad0

Security Options:

  seccomp

   Profile: unconfined

  cgroupns

Kernel Version: 5.15.153.1-microsoft-standard-WSL2

Operating System: Docker Desktop

OSType: linux

Architecture: x86_64

CPUs: 32

Total Memory: 15.5GiB

Name: docker-desktop

ID: 89a001b3-8488-4d8b-8c25-5c23b6facab0

Docker Root Dir: /var/lib/docker

Debug Mode: false

HTTP Proxy: http.docker.internal:3128

HTTPS Proxy: http.docker.internal:3128

No Proxy: hubproxy.docker.internal

Labels:

  com.docker.desktop.address=npipe://\\.\pipe\docker_cli

Experimental: false

Insecure Registries:

  hubproxy.docker.internal:5555

  [127.0.0.0/8](http://127.0.0.0/8)

Live Restore Enabled: false

 

WARNING: daemon is not using the default seccomp profile

[lbussell]

Hi @skolima, please refer to the Image Update Policy for this. Currently, we only re-build images in response to base image updates and critical severity CVEs. As Chiseled is a "distroless" image, it has no base image that can be updated. NIST has no official CVSS score for CVE-2024-6119 yet, and I see a mix of medium and high scores from other reports. So we won't likely re-build images for this CVE alone.

The thinking is that consumers of these images would be able to apply updates themselves if they deemed their app susceptible to a specific vulnerability. That prevents too many unnecessary downstream rebuilds. However, Ubuntu Chiseled currently provides limited support for extending or updating images. There is ongoing work on the Ubuntu side to address this (tracked here and here). We're open to feedback on whether we need to change our approach for distroless images until we have better guidance for updating packages. I suspect we haven't got too many reports of non-critical CVEs in Chiseled images because the attack surface is fundamentally so much smaller.

Unrelated to all of that, you should expect images to be re-built tomorrow as part of Patch Tuesday. So be on the look out for an updated base image.

[lbussell]

These images have now been re-built. I checked and don't see CVE-2024-6119 after scanning mcr.microsoft.com/dotnet/runtime-deps:8.0-noble-chiseled with aquasec/trivy, so I'm going to close this as completed.