Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Runner v2.300.0 has 1 critical and 6 high severity CVEs #2327

Open
andersthorbeck opened this issue Dec 19, 2022 · 8 comments
Open

Docker Runner v2.300.0 has 1 critical and 6 high severity CVEs #2327

andersthorbeck opened this issue Dec 19, 2022 · 8 comments
Labels
bug Something isn't working keep Label can be added as soon as we are sure the work on the issue is necessary

Comments

@andersthorbeck
Copy link

Describe the bug
The GitHub Runner versions 2.299.1 and 2.300.0 (most recent versions at the time of writing) have 1 critical severity and 6 high severity CVEs found by Trivy security vulnerability scan.

To Reproduce
Steps to reproduce the behavior:

  1. In a GitHub repository, under a directory named github-runner, have the following Dockerfile: 
    FROM ubuntu:22.04

ARG GITHUB_RUNNER_VERSION="2.300.0"

ENV GITHUB_OWNER "myorganization"
ENV RUNNER_WORKDIR "_work"
ENV TZ="Europe/London"

ARG DEBIAN_FRONTEND="noninteractive"


RUN apt-get update \
  && apt-get install -y \
  ca-certificates \
  curl \
  apt-transport-https \
  lsb-release \
  gnupg \
  && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \
  && AZ_REPO=$(lsb_release -cs) \
  && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \
  && apt-get update \
  && apt-get install -y \
  azure-cli \
  iputils-ping \
  sudo \
  git \
  unzip \
  jq \
  gh

# Required by "hashicorp/setup-terraform"
RUN curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash - \
  && sudo apt-get install -y nodejs
RUN apt-get clean \
  && rm -rf /var/lib/apt/lists/*

RUN adduser --uid 1000 --gecos "GitHub Runner" --disabled-password github-runner && \
  echo 'github-runner ALL=(ALL) NOPASSWD:ALL' | sudo EDITOR='tee -a' visudo
USER 1000

WORKDIR /home/github-runner

# Install everything needed for the GitHub Action self-hosted-runner
RUN curl -Ls https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz | tar xz
RUN sudo ./bin/installdependencies.sh

COPY ./scripts/*.sh /home/github-runner/scripts/
RUN sudo chmod +x /home/github-runner/scripts/*.sh
COPY ./entrypoint.sh /home/github-runner/entrypoint.sh
RUN sudo chmod +x /home/github-runner/entrypoint.sh

ENV PATH="${PATH}:/home/github-runner/scripts"

ENTRYPOINT ["/home/github-runner/entrypoint.sh"]
    The content of entrypoint.sh omitted for simplicity.
  2. In the same repository, define the following GitHub Actions workflow (to be run on a GitHub-hosted runner, but to generate and vulnerability scan the Docker image for a self-hosted runner): 
    name: github-runner-pull-request

on:
  workflow_dispatch:
  pull_request:
    branches:
      - master
    paths:
      - "github-runner/**"

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Docker build
        run: docker build github-runner -t github-runner-pull-request:${{ github.sha }}
      - name: Scan image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: github-runner-pull-request:${{ github.sha }}
          format: "table"
          exit-code: "1"
          ignore-unfixed: true # Ignore unfixable
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
  3. Dispatch this workflow manually (or raise a pull request triggering it).
  4. Read the vulnerability scan results.

Expected behavior

Expected zero HIGH or CRITICAL severity known, mitigatable vulnerabilities.

Runner Version and Platform

The GitHub-hosted runner generating the docker image and running the trivy scan:

Current runner version: '2.299.1'
Operating System
  Ubuntu
  22.04.1
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20221212.1
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20221212.1/images/linux/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20221212.1
Runner Image Provisioner
  2.0.91.1

The (to be self-hosted) runner Docker image being generated, which has vulnerabilities:

FROM ubuntu:22.04

ARG GITHUB_RUNNER_VERSION="2.300.0"

What's not working?

The Trivy vulnerability scan seems to indicate that the GitHub Runner code being pulled in via the Dockerfile is vulnerable to the following known CVEs:

Job Log Output

The full run log: trivy_run_redacted.log.

See in particular:

2022-12-19T09:03:05.5617685Z ##[group]Run aquasecurity/trivy-action@master
2022-12-19T09:03:05.5617930Z with:
2022-12-19T09:03:05.5618248Z   image-ref: github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66
2022-12-19T09:03:05.5618574Z   format: table
2022-12-19T09:03:05.5618759Z   exit-code: 1
2022-12-19T09:03:05.5618969Z   ignore-unfixed: true
2022-12-19T09:03:05.5619191Z   vuln-type: os,library
2022-12-19T09:03:05.5619404Z   severity: CRITICAL,HIGH
2022-12-19T09:03:05.5619625Z   scan-type: image
2022-12-19T09:03:05.5619827Z   scan-ref: .
2022-12-19T09:03:05.5620022Z   list-all-pkgs: false
2022-12-19T09:03:05.5620238Z ##[endgroup]
2022-12-19T09:03:05.5917896Z ##[command]/usr/bin/docker run --name f1f6e4627386490589e9ad5db0e66d6f_a8c603 --label 290506 --workdir /github/workspace --rm -e "INPUT_IMAGE-REF" -e "INPUT_FORMAT" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_SCAN-TYPE" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_TEMPLATE" -e "INPUT_OUTPUT" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SECURITY-CHECKS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/myrepository/myrepository":"/github/workspace" 290506:f1f6e4627386490589e9ad5db0e66d6f  "-a image" "-b table" "-c " "-d 1" "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h " "-i github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66" "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v "
2022-12-19T09:03:05.8779410Z Running trivy with options: trivy image  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL,HIGH  github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66
2022-12-19T09:03:05.8779960Z Global options:  
2022-12-19T09:03:06.4183040Z 2022-12-19T09:03:06.417Z	�[34mINFO�[0m	Need to update DB
2022-12-19T09:03:06.4183586Z 2022-12-19T09:03:06.417Z	�[34mINFO�[0m	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-12-19T09:03:06.4184045Z 2022-12-19T09:03:06.417Z	�[34mINFO�[0m	Downloading DB...
2022-12-19T09:03:09.2010984Z 24.59 MiB / 35.67 MiB [------------------------------------------>__________________] 68.95% ? p/s ?35.67 MiB / 35.67 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.67 MiB / 35.67 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 17.27 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [-------------------------------------------------] 100.00% 27.11 MiB p/s 1.5s2022-12-19T09:03:09.195Z	�[34mINFO�[0m	Vulnerability scanning is enabled
2022-12-19T09:03:09.2012904Z 2022-12-19T09:03:09.195Z	�[34mINFO�[0m	Secret scanning is enabled
2022-12-19T09:03:09.2013636Z 2022-12-19T09:03:09.195Z	�[34mINFO�[0m	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-19T09:03:09.2014709Z 2022-12-19T09:03:09.195Z	�[34mINFO�[0m	Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-12-19T09:07:26.4147234Z 2022-12-19T09:07:26.414Z	�[34mINFO�[0m	Detected OS: ubuntu
2022-12-19T09:07:26.4147873Z 2022-12-19T09:07:26.414Z	�[34mINFO�[0m	Detecting Ubuntu vulnerabilities...
2022-12-19T09:07:26.4247603Z 2022-12-19T09:07:26.424Z	�[34mINFO�[0m	Number of language-specific files: 8
2022-12-19T09:07:26.4248646Z 2022-12-19T09:07:26.424Z	�[34mINFO�[0m	Detecting dotnet-core vulnerabilities...
2022-12-19T09:07:26.4332483Z 2022-12-19T09:07:26.432Z	�[34mINFO�[0m	Detecting node-pkg vulnerabilities...
2022-12-19T09:07:26.7336446Z 2022-12-19T09:07:26.732Z	�[34mINFO�[0m	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
2022-12-19T09:07:26.7336810Z 
2022-12-19T09:07:26.7338058Z github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66 (ubuntu 22.04)
2022-12-19T09:07:26.7407751Z ==================================================================================
2022-12-19T09:07:26.7408044Z Total: 0 (HIGH: 0, CRITICAL: 0)
2022-12-19T09:07:26.7408182Z 
2022-12-19T09:07:26.7415817Z 
2022-12-19T09:07:26.7416111Z Node.js (node-pkg)
2022-12-19T09:07:26.7416314Z ==================
2022-12-19T09:07:26.7416535Z Total: 4 (HIGH: 3, CRITICAL: 1)
2022-12-19T09:07:26.7417527Z 
2022-12-19T09:07:26.7424863Z ┌────────────────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7425575Z │          Library           │ Vulnerability  │ Severity │ Installed Version │                      Fixed Version                      │                          Title                           │
2022-12-19T09:07:26.7426313Z ├────────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7426993Z │ json-schema (package.json) │ CVE-2021-3918  │ CRITICAL │ 0.2.3             │ 0.4.0                                                   │ nodejs-json-schema: Prototype pollution vulnerability    │
2022-12-19T09:07:26.7428920Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2021-3918                │
2022-12-19T09:07:26.7430059Z ├────────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7430966Z │ minimatch (package.json)   │ CVE-2022-3517  │ HIGH     │ 3.0.4             │ 3.0.5                                                   │ nodejs-minimatch: ReDoS via the braceExpand function     │
2022-12-19T09:07:26.7439476Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-3517                │
2022-12-19T09:07:26.7440339Z ├────────────────────────────┼────────────────┤          ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7441424Z │ npm (package.json)         │ CVE-2022-29244 │          │ 8.1.0             │ 8.11.0                                                  │ nodejs: npm pack ignores root-level .gitignore and       │
2022-12-19T09:07:26.7442305Z │                            │                │          │                   │                                                         │ .npmignore file exclusion directives when...             │
2022-12-19T09:07:26.7443012Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-29244               │
2022-12-19T09:07:26.7443840Z ├────────────────────────────┼────────────────┤          ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7472731Z │ qs (package.json)          │ CVE-2022-24999 │          │ 6.5.2             │ 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, │ express: "qs" prototype poisoning causes the hang of the │
2022-12-19T09:07:26.7473477Z │                            │                │          │                   │ 6.10.3                                                  │ node process                                             │
2022-12-19T09:07:26.7474060Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-24999               │
2022-12-19T09:07:26.7474788Z └────────────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7475016Z 
2022-12-19T09:07:26.7475247Z home/github-runner/bin/Runner.Common.deps.json (dotnet-core)
2022-12-19T09:07:26.7475560Z ============================================================
2022-12-19T09:07:26.7475798Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7475941Z 
2022-12-19T09:07:26.7476511Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7477063Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7477710Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7478280Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7478821Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7479320Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7480037Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7480594Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7481131Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7481618Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7482173Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7482698Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7483233Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7483722Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7484317Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7484523Z 
2022-12-19T09:07:26.7484759Z home/github-runner/bin/Runner.Listener.deps.json (dotnet-core)
2022-12-19T09:07:26.7485063Z ==============================================================
2022-12-19T09:07:26.7485284Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7485426Z 
2022-12-19T09:07:26.7485837Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7486456Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7487101Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7487648Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7488192Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7488698Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7489280Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7489917Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7490433Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7490930Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7491481Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7492001Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7492508Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7493002Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7493611Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7493813Z 
2022-12-19T09:07:26.7494058Z home/github-runner/bin/Runner.PluginHost.deps.json (dotnet-core)
2022-12-19T09:07:26.7494357Z ================================================================
2022-12-19T09:07:26.7494588Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7494739Z 
2022-12-19T09:07:26.7495146Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7495748Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7496434Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7496992Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7497532Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7498045Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7498619Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7499204Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7499737Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7500238Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7500771Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7501289Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7501800Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7502365Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7502970Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7503174Z 
2022-12-19T09:07:26.7503413Z home/github-runner/bin/Runner.Plugins.deps.json (dotnet-core)
2022-12-19T09:07:26.7503720Z =============================================================
2022-12-19T09:07:26.7503953Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7504096Z 
2022-12-19T09:07:26.7504494Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7505031Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7505749Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7506309Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7506836Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7507339Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7507927Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7508477Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7509063Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7509544Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7510094Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7510610Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7512604Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7513226Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7513859Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7514107Z 
2022-12-19T09:07:26.7514331Z home/github-runner/bin/Runner.Sdk.deps.json (dotnet-core)
2022-12-19T09:07:26.7514624Z =========================================================
2022-12-19T09:07:26.7514842Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7514982Z 
2022-12-19T09:07:26.7515395Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7515935Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7516588Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7517216Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7517750Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7518261Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7518849Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7519401Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7519931Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7520439Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7520986Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7521503Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7521991Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7522478Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7523212Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7523422Z 
2022-12-19T09:07:26.7523657Z home/github-runner/bin/Runner.Worker.deps.json (dotnet-core)
2022-12-19T09:07:26.7523945Z ============================================================
2022-12-19T09:07:26.7524177Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7524319Z 
2022-12-19T09:07:26.7524730Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7525264Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7525889Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7526481Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7527022Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7527530Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7528099Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7528650Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7529184Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7529773Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7530316Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7530831Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7531335Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7531821Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7532417Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7532699Z 
2022-12-19T09:07:26.7532906Z home/github-runner/bin/Sdk.deps.json (dotnet-core)
2022-12-19T09:07:26.7533178Z ==================================================
2022-12-19T09:07:26.7533405Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7533545Z 
2022-12-19T09:07:26.7533940Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7534476Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7535112Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7535668Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7536224Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7536734Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7537319Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7537866Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7538375Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7538926Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7539490Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7540009Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7540518Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7540990Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7541600Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.9022909Z Post job cleanup.

Suggested solution

Implement automated vulnerability scans of your own GitHub Runner code, and ensure any CRITICAL or HIGH severity CVEs which can be mitigated are mitigated before a new version is released.
@andersthorbeck andersthorbeck added the bug Something isn't working label Dec 19, 2022
@andersthorbeck
Copy link
Author

Somewhat related issues, also mentioning CVEs in the runner: #2145, #1869, #1886.

@nikola-jokic nikola-jokic added the keep Label can be added as soon as we are sure the work on the issue is necessary label Dec 26, 2022
@andersthorbeck
Copy link
Author

Almost all of these vulnerabilities (except CVE-2022-29244) are still present in new runner version 2.301.1.

kdorheim added a commit to JGCRI/hector that referenced this issue Jan 25, 2023
@kdorheim
Update pkgdown.yaml
56ebe63 
inspried by actions/runner#2327
@matsest
Copy link

matsest commented Feb 14, 2023

Hi @TingluoHuang is this being addressed? Fixing the CVE's should be fixed regardless of the suggested solutions..

Is there an intent to implement something like the suggested solution here? Should not be very hard to add to the repository. Additionally - is this something you want contributions for, or work out internally?

@andersthorbeck
Copy link
Author

In the most recent version, 2.302.1, the following vulnerabilities were introduced:

  • Linux packages (github-runner-pull-request:ddb9e6e2f78c54c0f7a5cb3817d48d1e4cddddd1 (ubuntu 22.04))
  • NodeJS

None of the previous CVEs were mitigated.

@mario-campos
Copy link

It looks like most, if not all, of the NPM vulnerabilities are not an issue. Either they were false-positives or they've been fixed, because I don't see any reference to http-cache-semantics, json-schema, npm, or qs in either package.json or package-lock.json file.

And, while minimatch is in the lock file, it's not subject to GHSA-f8q6-p94x-37v3 because it does not meet the version-range criteria (v3.1.2 > v3.0.5).

So, unless I missed something, I think it's safe to ignore those JS CVEs.

@andersthorbeck
Copy link
Author

@mario-campos Even if they are false positives though, every GitHub consumer running their own self-hosted GitHub runners will run into these same issues. Even the most recent version 2.309.0 has 4 CVEs, all in .NET: the same 3 as originally reported here 9 months ago, and additionally CVE-2019-0820 (HIGH severity, from dotnet-core).

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ fixed  │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
│                                │               │          │        │                   │               │ information exposed in a redirect...                         │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Private.Uri             │ CVE-2019-0980 │          │        │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
│                                │               │          │        │                   │               │ Core Denial of Service...                                    │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
│                                ├───────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2019-0981 │          │        │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
│                                │               │          │        │                   │               │ Denial of Service                                            │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │        │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced    │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                    │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

All of these CVEs seem mitigable simply by bumping version numbers. Doing so would absolve all GitHub consumers attempting to run self-hosted runners from investigating these same CVEs, which aggregated across all of us is currently a huge and unproductive time drain.

@mmclane
Copy link

mmclane commented Jul 10, 2024

I can't believe this is still an issue

@casey-robertson-paypal
Copy link

Still an issue - it gets tiresome seeing these pop up in vuln scanning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working keep Label can be added as soon as we are sure the work on the issue is necessary
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mario-campos @andersthorbeck @matsest @mmclane @casey-robertson-paypal @nikola-jokic