latest mongo:3.6.23-xenial contains a number of CVE's caught upon scanning on Amazon ECR

[hperera-jd]

Following vulnerabilities was shown when scanned through the AWS ECR tool. Could this be false positives? Why such a list of vulnerabilities show up?

Name	Package	Severity	Description
CVE-2016-1585	apparmor:2.10.95-0ubuntu2.11	MEDIUM	In all versions of AppArmor mount rules are accidentally widened when compiled.
CVE-2020-13844	gcc-5:5.4.0-6ubuntu1~16.04.12	MEDIUM	Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."
CVE-2020-13844	gccgo-6:6.0.1-0ubuntu1	MEDIUM	Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."
CVE-2016-4074	jq:1.5+dfsg-1ubuntu0.1	MEDIUM	The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file.
CVE-2019-19246	libonig:5.9.6-1ubuntu0.1	MEDIUM	Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.
CVE-2019-19203	libonig:5.9.6-1ubuntu0.1	MEDIUM	An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.
CVE-2019-19204	libonig:5.9.6-1ubuntu0.1	MEDIUM	An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
CVE-2019-13224	libonig:5.9.6-1ubuntu0.1	MEDIUM	A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
CVE-2019-19012	libonig:5.9.6-1ubuntu0.1	MEDIUM	An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
CVE-2019-16163	libonig:5.9.6-1ubuntu0.1	MEDIUM	Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
CVE-2018-20839	systemd:229-4ubuntu21.31	MEDIUM	systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.
CVE-2019-18276	bash:4.3-14ubuntu1.4	LOW	An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.
CVE-2016-2781	coreutils:8.25-2ubuntu3~16.04	LOW	chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVE-2016-4484	cryptsetup:2:1.6.6-5ubuntu2.1	LOW	The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.
CVE-2019-25013	glibc:2.23-0ubuntu11.2	LOW	The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2016-10739	glibc:2.23-0ubuntu11.2	LOW	In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.
CVE-2017-12132	glibc:2.23-0ubuntu11.2	LOW	The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2020-6096	glibc:2.23-0ubuntu11.2	LOW	An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2020-27618	glibc:2.23-0ubuntu11.2	LOW	The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2019-13050	gnupg:1.4.20-1ubuntu3.3	LOW	Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
CVE-2019-14855	gnupg:1.4.20-1ubuntu3.3	LOW	A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
CVE-2019-17543	lz4:0.0~r131-2ubuntu2	LOW	LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
CVE-2019-20838	pcre3:2:8.38-3.1	LOW	libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.
CVE-2017-6004	pcre3:2:8.38-3.1	LOW	The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.
CVE-2017-7186	pcre3:2:8.38-3.1	LOW	libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
CVE-2017-7244	pcre3:2:8.38-3.1	LOW	The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.
CVE-2013-4235	shadow:1:4.2-3.1ubuntu5.4	LOW	shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
CVE-2017-12424	shadow:1:4.2-3.1ubuntu5.4	LOW	In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
CVE-2018-7169	shadow:1:4.2-3.1ubuntu5.4	LOW	An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.
CVE-2016-5011	util-linux:2.27.1-6ubuntu3.10	LOW	The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.
CVE-2016-2779	util-linux:2.27.1-6ubuntu3.10	LOW	runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

Currently the image has every package at its latest version

$ docker run -it --rm mongo:3.6.23-xenial bash
Unable to find image 'mongo:3.6.23-xenial' locally
3.6.23-xenial: Pulling from library/mongo
92473f7ef455: Pull complete 
fb52bde70123: Pull complete 
64788f86be3f: Pull complete 
33f6d5f2e001: Pull complete 
570e56656608: Pull complete 
f518a872ab12: Pull complete 
c9bdae151f64: Pull complete 
b2c58da5f563: Pull complete 
2928038a6053: Pull complete 
29a16c1b79ab: Pull complete 
efec0f86077c: Pull complete 
261a04726d31: Pull complete 
d2132b5e10f5: Pull complete 
Digest: sha256:2ae2185d1e3b93c130b0ee7039976767419266f788f42255c00fae0fab160927
Status: Downloaded newer image for mongo:3.6.23-xenial
aproot@86ff770018b2:/# apt update && apt list --upgradeable
Ign:1 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 InRelease
Get:2 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release [3457 B]                         
Get:3 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release.gpg [801 B]                                                
Get:4 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]                                                                      
Get:5 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]                                                           
Get:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6/multiverse amd64 Packages [16.0 kB]
Get:7 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]                        
Get:8 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages [2049 kB]
Get:9 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]       
Get:10 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages [1558 kB]              
Get:11 http://security.ubuntu.com/ubuntu xenial-security/restricted amd64 Packages [15.9 kB]  
Get:12 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [985 kB]                   
Get:13 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [8820 B]                 
Get:14 http://archive.ubuntu.com/ubuntu xenial/restricted amd64 Packages [14.1 kB]                   
Get:15 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [9827 kB]    
Get:16 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [176 kB]
Get:17 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [2558 kB]
Get:18 http://archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [16.4 kB]
Get:19 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [1544 kB]
Get:20 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [26.2 kB]
Get:21 http://archive.ubuntu.com/ubuntu xenial-backports/main amd64 Packages [10.9 kB]
Get:22 http://archive.ubuntu.com/ubuntu xenial-backports/universe amd64 Packages [12.6 kB]
Fetched 19.4 MB in 3s (5047 kB/s)                       
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Listing... Done