postgres:14.4-alpine vulnerabilities CVE-2022-2097

[TheBigRoomXXL]

Running Trivy against postgres:14.4-alpine image I find the following vulnerability:

Libraries	Vulnerability	Severity	Installed Version	Fixed Version	Title
libcrypto1.1 & libssl1.1	CVE-2022-2097	HIGH	1.1.1o-r0	1.1.1q-r0	openssl: AES OCB fails to encrypt some bytes https://avd.aquasec.com/nvd/cve-2022-2097

[wglambert]

It'll get updated on its regular monthly cadence. You can also manually update the package in your image if you wanted in the meantime docker-library/python#728 (comment)

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[TheBigRoomXXL]

Thank you for your answer.

For the future, is it of any use to the maintainer to report the vulnerabilities here?

[wglambert]

In most cases not really, CVE's that do pose a real and critical threat are pretty rare especially in a container environment. We do take them seriously and perform security updates regularly. When the log4j and heartbleed vulnerabilities became known they were fixed ASAP in the Official Images.
In the case of https://security-tracker.debian.org/tracker/CVE-2022-2097 the Debian security team considers it a minor issue that'll get fixed in the next round of security updates

postgres:14.4-alpine and the Debian variant are fully up to date currently

$ docker run -it --rm postgres:14.4-alpine bash
bash-5.1# apk update && apk -u list && apk upgrade --simulate
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
v3.16.1-5-ge692d8f074 [https://dl-cdn.alpinelinux.org/alpine/v3.16/main]
v3.16.1-8-g10ac62ce57 [https://dl-cdn.alpinelinux.org/alpine/v3.16/community]
OK: 17026 distinct packages available
OK: 159 MiB in 45 packages

$ docker run -it --rm postgres:14.4 bash
root@e31ba5c96e4c:/# apt update && apt list --upgradable
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8,182 kB]
Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [166 kB]
Get:6 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg InRelease [91.7 kB]
Get:7 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2,592 B]
Get:8 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [249 kB]
Fetched 8,896 kB in 2s (5,609 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Listing... Done

Examples of previous CVE related issues docker-library/openjdk#449 (comment), #286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, #286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.