Skip to content

Fix CVE-2024-32002, CVE-2024-37371, CVE-2024-45491, CVE-2024-45492 #867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
EliMoshkovich wants to merge 1 commit into from
Closed

Fix CVE-2024-32002, CVE-2024-37371, CVE-2024-45491, CVE-2024-45492 #867

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 23 additions & 5 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,13 @@ RUN chmod +x ./wait-for.sh
RUN ln -s /opal/wait-for.sh /usr/wait-for.sh

# netcat (nc) is used by the wait-for.sh script
RUN apt-get update && apt-get install -y netcat-traditional jq wget && apt-get clean
# Upgrade security-sensitive packages to fix CVEs:
# - libexpat1: CVE-2024-45491, CVE-2024-45492 (integer overflow)
# - libkrb5-3, libgssapi-krb5-2: CVE-2024-37371 (invalid memory reads)
RUN apt-get update && \
apt-get install -y netcat-traditional jq wget && \
apt-get upgrade -y libexpat1 libkrb5-3 libgssapi-krb5-2 && \
apt-get clean && rm -rf /var/lib/apt/lists/*

# copy startup script (create link at old path to maintain backward compatibility)
COPY ./scripts/start.sh .
Expand Down Expand Up @@ -185,7 +191,10 @@ USER opal
# ---------------------------------------------------
FROM common AS server

RUN apt-get update && apt-get install -y openssh-client git && apt-get clean
# Install git and upgrade to fix CVE-2024-32002 (RCE via malicious submodules)
RUN apt-get update && apt-get install -y openssh-client git && \
apt-get upgrade -y git && \
apt-get clean && rm -rf /var/lib/apt/lists/*
RUN git config --global core.symlinks false # Mitigate CVE-2024-32002

USER opal
Expand Down Expand Up @@ -284,8 +293,12 @@ RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./
FROM python:3.10-alpine AS common-alpine
RUN rm -r /usr/local/lib/python3.10/site-packages || true
COPY --from=build-stage-alpine /usr/local /usr/local
RUN adduser -D -h /opal -s /bin/bash opal && apk add --no-cache bash netcat-openbsd jq wget
RUN apk add --no-cache libssh2 http-parser
# Install packages and upgrade security-sensitive ones to fix CVEs:
# - expat: CVE-2024-45491, CVE-2024-45492 (integer overflow)
# - krb5-libs: CVE-2024-37371 (invalid memory reads)
RUN adduser -D -h /opal -s /bin/bash opal && \
apk add --no-cache bash netcat-openbsd jq wget libssh2 http-parser && \
apk upgrade --no-cache expat krb5-libs
WORKDIR /opal
COPY scripts/wait-for.sh .
RUN chmod +x ./wait-for.sh
Expand Down Expand Up @@ -357,7 +370,12 @@ USER opal
# SERVER IMAGE (ALPINE) -----------------------------
# ---------------------------------------------------
FROM common-alpine AS server-alpine
RUN apk add --no-cache openssh-client git libssh2
# Install and upgrade packages to fix CVEs:
# - git: CVE-2024-32002 (RCE via malicious submodules)
# - expat: CVE-2024-45491, CVE-2024-45492 (integer overflow)
# - krb5-libs: CVE-2024-37371 (invalid memory reads)
RUN apk add --no-cache openssh-client git libssh2 && \
apk upgrade --no-cache git expat krb5-libs
RUN git config --global core.symlinks false
USER opal
ARG TRUST_POLICY_REPO_HOST_SSH_FINGERPRINT="true"
Expand Down
Loading