Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in getsentry/snuba:24.12.1 #6718

Open
beninabox opened this issue Jan 7, 2025 · 1 comment · May be fixed by #6719
Open

Security Vulnerabilities in getsentry/snuba:24.12.1 #6718

beninabox opened this issue Jan 7, 2025 · 1 comment · May be fixed by #6719

Comments

@beninabox
Copy link

Hi,

Our company has recently performed a security vulnerability scan of the getsentry/snuba:24.12.1 image published to Docker Hub. There are a number of critical and high vulnerabilities found - specifically part of the Debian base image inherited from the python 3.11.8 image.

The below is an excerpt from Docker Scout.

## Packages and Vulnerabilities

   2C     1H     0M     0L  expat 2.5.0-1
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ CRITICAL CVE-2024-45492
      https://scout.docker.com/v/CVE-2024-45492
      Affected range : <2.5.0-1+deb12u1  
      Fixed version  : 2.5.0-1+deb12u1   
    
    ✗ CRITICAL CVE-2024-45491
      https://scout.docker.com/v/CVE-2024-45491
      Affected range : <2.5.0-1+deb12u1  
      Fixed version  : 2.5.0-1+deb12u1   
    
    ✗ HIGH CVE-2024-45490
      https://scout.docker.com/v/CVE-2024-45490
      Affected range : <2.5.0-1+deb12u1  
      Fixed version  : 2.5.0-1+deb12u1   
    

   1C     1H     0M     0L  krb5 1.20.1-2+deb12u1
pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ CRITICAL CVE-2024-37371
      https://scout.docker.com/v/CVE-2024-37371
      Affected range : <1.20.1-2+deb12u2  
      Fixed version  : 1.20.1-2+deb12u2   
    
    ✗ HIGH CVE-2024-37370
      https://scout.docker.com/v/CVE-2024-37370
      Affected range : <1.20.1-2+deb12u2  
      Fixed version  : 1.20.1-2+deb12u2   
    

   1C     0H     1M     0L  python-jose 3.3.0
pkg:pypi/[email protected]

    ✗ CRITICAL CVE-2024-33663 [Use of a Broken or Risky Cryptographic Algorithm]
      https://scout.docker.com/v/CVE-2024-33663
      Affected range : <=3.3.0                                                          
      Fixed version  : not fixed                                                        
      CVSS Score     : 9.3                                                              
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N  
    
    ✗ MEDIUM CVE-2024-33664 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2024-33664
      Affected range : <=3.3.0                                       
      Fixed version  : not fixed                                     
      CVSS Score     : 5.3                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  
    

   0C     1H     1M     0L  redis 4.5.4
pkg:pypi/[email protected]

    ✗ HIGH CVE-2023-31655
      https://scout.docker.com/v/CVE-2023-31655
      Affected range : =4.5.4     
      Fixed version  : not fixed  
    
    ✗ MEDIUM CVE-2023-28859
      https://scout.docker.com/v/CVE-2023-28859
      Affected range : <5.0.0b1  
      Fixed version  : 5.0.0b1

(note the above is an excerpt as there are more)

It seems that many of these exist within the Debian base image, inherited from python 3.11.8. Any chance we can migrate to a later base image version? Either 3.11.11-slim-bookworm (if we prefer to move only patch versions, but leaves 1x high vulnerability), or 3.13.1-slim-bookworm (to leave only low vulnerabilities). Our security consultant has identified that some of these critical vulnerabilities that exist at the moment are exploitable in a container context.

I'm happy to update the Dockerfile and raise a pull request to save some time - let me know which version of the base image would be preferable.

Thanks!
@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Jan 7, 2025
@untitaker
Copy link
Member

hello, I think we're ok with the proposed changes to the 3.11 base image, if it helps you. However if there is an actual security vulnerability please follow our disclosure process, not post in public.

3.13 upgrade may be more involved, as it might require code changes, python dependency upgrades and additional changes to other CI jobs to keep the version in sync everywhere. We are happy to accept patches for those things, but I don't think it's worth it to achieve your goal.

@getsantry getsantry bot removed the status in GitHub Issues with 👀 3 Jan 7, 2025
@beninabox beninabox linked a pull request Jan 7, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
GitHub Issues with 👀 3
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): Bump Python to 3.11.11 beninabox/snuba
2 participants
@untitaker @beninabox