Headline
Scanning container image vulnerabilities with Clair
What are container image vulnerabilities?
What are container image vulnerabilities?
When Red Hat started releasing products as container images, we decided we needed to build them the same way they were built upstream, which is by building them from Dockerfiles. This means we build fewer RPMs than we used to, and instead we pull in software dependencies from outside of the RPM / DNF ecosystem. It took us some time to get our security data to the same standard as it was for RPM, but that time has arrived, and you can now consume security data for Red Hat container images the same way you do for Red Hat RPMs.
How is this different from the existing security content?
When we build container images at Red Hat we write the Dockerfile used to build them into the container itself, and then we release the container via the Container Catalog. Identifying information is written into the Dockerfile during the build process, and you can use that information to compare it with security data we publish about images.
For Red Hat RPM content we publish OVAL files which identify RPMs with security patches in them. OVAL also encapsulates rules for how to scan an operating system for vulnerabilities. In other words, OVAL provides both the data required to scan a system, and the details about how to scan the system. We found that users often want to scan their entire infrastructure — including other operating systems and container registries — with a security scanner that aggregates data from multiple sources.
This means that it makes sense to separate the security data from the rules on how to scan the system, enabling our security scanner partners to consume the data more easily and also providing Red Hat flexibility in how we provide the data.
Data for container image vulnerabilities can be found in the Red Hat CVE Database which most users access via the web interface. The data backing the web interface can be found in a file called cvemap.xml as well as the Security Data API.
Clair is an open source project that provides a tool to monitor the security of your containers through the static analysis of vulnerabilities in container images. Clair has been improved to make use of the data in cvemap.xml, so you can now use it to scan Red Hat Container Images for vulnerabilities — not just in RPMs, but also in other non-RPM content.
Technical details
Support for scanning container images has been added to Clair 4.4.2 via this pull request in Clair Core. Clair is used by quay.io, Red Hat Quay, and the Red Hat Container Catalog (registry.redhat.io) via the Container Health Index to track and report vulnerabilities affecting container images. Until now, Clair has only matched Red Hat vulnerability data with RPMs found in containers, but with the release of Clair 4.4.2, it can match container images as well.
How does it work?
Clair scans the container file content, reads the Dockerfile contents, and extracts the “name” label. It also downloads cvemap.xml file, parses the container image names and fixed-in versions, and then matches it against the “name” label from the Dockerfile.
Sometimes the two names don’t exactly match when they should, so in those cases we provide a mapping file which maps the container image name label with its image name as found in the CVE database.
The reason Clair uses cvemap.xml over the Security Data API is twofold. First, the architecture of Clair is such that it is preferable to consume a flat file containing all the data at once and update it periodically. Second, Clair is often used in offline environments without direct access to the internet. In those environments it is easier to mirror a small number of files into the environment than mirror a whole API service.
Version matching
To avoid false positives when you’re using a patched container image in one product stream, but a later product stream for the same product patches the vulnerability, we constrain matching to a minor version.
For example, the recent Log4j Critical vulnerability CVE-2021-44228. That issue was addressed in both the following container image versions for the “openshift4/ose-metering-hive” container image, as demonstrated by this section of the cvemap.xml.
<AffectedRelease cpe="cpe:/a:redhat:openshift:4.6::el8"> <ProductName>Red Hat OpenShift Container Platform 4.6</ProductName> <ReleaseDate>2021-12-16T00:00:00</ReleaseDate> <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2021:5106">RHSA-2021:5106 </Advisory> <Package name="openshift4/ose-metering-hive"> openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream </Package> </AffectedRelease> … <AffectedRelease cpe="cpe:/a:redhat:openshift:4.7::el8"> <ProductName>Red Hat OpenShift Container Platform 4.7</ProductName> <ReleaseDate>2021-12-16T00:00:00</ReleaseDate> <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2021:5107">RHSA-2021:5107 </Advisory> <Package name="openshift4/ose-metering-hive"> openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream </Package> </AffectedRelease>
Let’s say you were using a version later than the first version, but earlier than the second, like "v4.6.0-202201311100.p0.gf139e12.assembly.stream". If you matched this against the second version (starting with v4.7) you would get a false positive result. That’s because the 4.6 tag is before the 4.7 one when compared with RPM version semantics.
How Red Hat resolves this problem with RPM security data is with Common Product Enumeration (CPE). Continuing the previous example of scanning the installed container image "openshift4/ose-metering-hive:v4.6.0-202201311100.p0.gf139e12.assembly.stream", a check of the Red Hat security data reveals that the fixed-in versions map to distinct CPEs:
<AffectedRelease cpe="cpe:/a:redhat:openshift:4.6::el8"> <ProductName>Red Hat OpenShift Container Platform 4.6</ProductName> <ReleaseDate>2021-12-16T00:00:00</ReleaseDate> <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2021:5106">RHSA-2021:5106 </Advisory> <Package name="openshift4/ose-metering-hive"> openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream </Package> </AffectedRelease> … <AffectedRelease cpe="cpe:/a:redhat:openshift:4.7::el8"> <ProductName>Red Hat OpenShift Container Platform 4.7</ProductName> <ReleaseDate>2021-12-16T00:00:00</ReleaseDate> <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2021:5107">RHSA-2021:5107 </Advisory> <Package name="openshift4/ose-metering-hive"> openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream </Package> </AffectedRelease>
If we’re able to determine that our installed version was included in the “cpe:/a:redhat:openshift:4.6::el8” CPE product stream, we will only match against its fixed version, and not against the 4.7 product stream. The problem is that there is currently no way to determine the CPE of a particular container image.
Clair works around this problem by parsing the security data into ranges mapped by minor versions. So for the CVE-2021-44228 vulnerability, and “openshift4/ose-metering-hive” container we end up with three vulnerability entries:
4.6.x range, fixed in “v4.6.0-202112140546.p0.g8b9da97.assembly.stream”
4.7.x range, fixed in “v4.7.0-202112140553.p0.g091bb99.assembly.stream”
4.8.x range, fixed in “v4.8.0-202112132154.p0.g57dd03a.assembly.stream”
Don’t we already have scanning in Clair?
This new feature is complementary to the existing Red Hat RPM scanning performed by Clair, because that scanning only matches against RPM security data. Many container images shipped by Red Hat not only include RPMs, but also other non-RPM content, such as Go binaries, Python and Javascript files. The Red Hat Product Security team tracks vulnerabilities in this content and publishes security advisories against the container images which are affected in the Red Hat security data. Without this feature, all of that security data would be ignored by the existing RPM scanner in Clair.
Conclusion
Container image scanning has been added to Clair. In this article we have shown you how you can use Clair to scan container images for vulnerabilities in non-RPM content. The feature works by looking at the Dockerfile contents included in Red Hat container images, parsing the version into a minor version range, and then comparing it against fixed container versions in the improved Red Hat security data.
Learn more
Red Hat Security Blog
Red Hat Product Security Center
Red Hat Product Security Overview
Related news
The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.
Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.
An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the
By Waqas The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB). This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
Couchbase Server before 7.1.0 has Incorrect Access Control.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
Calibre-Web before 0.6.18 allows user table SQL Injection.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.