Skip to content

Instantly share code, notes, and snippets.

@kevherro

kevherro/cve.md

Last active April 26, 2018 17:41
Show Gist options
  • Save kevherro/b1c4f510bc15cfcae5be70ec290826be to your computer and use it in GitHub Desktop.
Save kevherro/b1c4f510bc15cfcae5be70ec290826be to your computer and use it in GitHub Desktop.
Download ZIP
How to track down and patch Common Vulnerabilities and Exposures (CVEs) in Docker images used by Replicated
Raw
cve.md

Background

Common Vulnerabilities and Exposures (CVEs) are known security vulnerabilities that exist in commom packages/os' used by our Docker images

When a CVE is introduced, we need to fix the respective Dockerfile so that it uses the most up-to-date version of the package/os that contains the CVE

CVEs are constantly discovered. This means that patching CVEs in our Dockerfiles is something we will do often

Fortunately, the solution may be as simple as re-building the respective Dockerfile

HOWTO

When the Replicated platform is built, CircleCI scans a list of on-prem images for CVEs. An up-to-date list of CVEs can be found below with links to repos

We use Anchore Engine to scan images for vulnerabilities. You can interact with Anchore through the Anchore CLI. The Anchore server address is https://anchore.replicated.systems/v1. Credentials can be found in passpack or Keybase

To check for vulnerabilities, run the command:

> anchore-cli image vuln <input_image> [VULN_TYPE]

For example, we might want to check if os vulnerabilities exist in the Replicated cmd image:

> anchore-cli image vuln registry.replicated.com/library/cmd:1.2.1 os

If vulnerabilities exist, Anchore might return something like this:

Vulnerability ID        Package                               Severity          Fix                      Vulnerability URL
CVE-2017-6512           perl-5.18.2-2ubuntu1.3                Low               5.18.2-2ubuntu1.4        http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6512
CVE-2017-6512           perl-base-5.18.2-2ubuntu1.3           Low               5.18.2-2ubuntu1.4        http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6512
CVE-2017-6512           perl-modules-5.18.2-2ubuntu1.3        Low               5.18.2-2ubuntu1.4        http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6512

Here, we see that three vulnerabilities exist in the perl package used by the cmd image. We will need to update the Dockerfile that produces the cmd image to patch the vulnerability

The images are all built with different distros and the package management systems vary. After updating the Dockerfile and thus patching the image, you must then push the image with a new tag to the appropriate registry (assuming you have built, tested with anchore, and tagged the clean image):

> docker push registry.replicated.com/library/cmd:1.2.2

Finally, the replicated and chatops-deployer projects must be updated to use the newly patched image tags

List of Images

registry.replicated.com/library/premkit -> https://github.com/premkit/premkit

registry.replicated.com/library/cmd -> https://github.com/replicatedcom/replicated/tree/master/pkg/commands/hack

registry.replicated.com/library/statsd-graphite -> https://github.com/replicatedcom/statsd-graphite

registry.replicated.com/library/support-bundle -> https://github.com/replicatedcom/support-bundle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment