Reflection needed on several critical security vulnerabilities

[Gaethje]

We scanned your images with Jfrog’s xray image scanner. We found several critical vulnerabilities. Here are the critical vulnerabilities which are CVE >= 9.0, We appreciate your project and feedback.

<style> </style>

XRAY-263045	CVE-2022-32221	9.8	alpine://3.15:curl:7.80.0-r3	When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.	7.80.0-r4	alpine	Critical	2022-12-06	JFrog	docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0	klstg-docker-local/cloudbees/haproxytech/kubernetes-ingress/1.9.0/	docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3	2023-01-26	https://hackerone.com/reports/1704017 https://security.gentoo.org/glsa/202212-01	When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
XRAY-263045	CVE-2022-32221	9.8	alpine://3.15:libcurl:7.80.0-r3	When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.	7.80.0-r4	alpine	Critical	2022-12-06	JFrog	docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0	klstg-docker-local/cloudbees/haproxytech/kubernetes-ingress/1.9.0/	docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3	2023-01-26	https://hackerone.com/reports/1704017 https://security.gentoo.org/glsa/202212-01	When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
XRAY-260175	CVE-2022-42915	9.8	alpine://3.15:curl:7.80.0-r3	curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.	7.80.0-r4	alpine	Critical	2022-10-30	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0	klstg-docker-localcicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/	docker:/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3	2023-01-26	https://curl.se/docs/CVE-2022-42915.html https://security.gentoo.org/glsa/202212-01 https://lists.fedoraproject.org/archives/list/[email protected]/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ https://lists.fedoraproject.org/archives/list/[email protected]/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ https://lists.fedoraproject.org/archives/list/[email protected]/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ https://security.netapp.com/advisory/ntap-20221209-0010/	curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
XRAY-260175	CVE-2022-42915	9.8	alpine://3.15:libcurl:7.80.0-r3	curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.	7.80.0-r4	alpine	Critical	2022-10-30	JFrog	docker:/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3	2023-01-26	https://curl.se/docs/CVE-2022-42915.html https://security.gentoo.org/glsa/202212-01 https://lists.fedoraproject.org/archives/list/[email protected]/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ https://lists.fedoraproject.org/archives/list/[email protected]/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ https://lists.fedoraproject.org/archives/list/[email protected]/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ https://security.netapp.com/advisory/ntap-20221209-0010/	curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
XRAY-187759	CVE-2021-38297	9.8	go://github.com/golang/go:1.10.3	Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.	1.16.9 1.17.2	go	Critical	2021-10-19	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3	2023-01-26	https://lists.fedoraproject.org/archives/list/[email protected]/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/ https://security.gentoo.org/glsa/202208-02 https://groups.google.com/forum/#!forum/golang-announce https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://security.netapp.com/advisory/ntap-20211118-0006/ https://lists.fedoraproject.org/archives/list/[email protected]/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/	Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
XRAY-85927	CVE-2019-14809	9.8	go://github.com/golang/go:1.10.3	net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.	1.11.13 1.12.8	go	Critical	2019-08-16	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3	2023-01-26	https://www.debian.org/security/2019/dsa-4503 https://lists.fedoraproject.org/archives/list/[email protected]/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/ https://lists.fedoraproject.org/archives/list/[email protected]/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/ https://groups.google.com/forum/#!topic/golang-announce/0uuMm1BwpHE https://access.redhat.com/errata/RHSA-2019:3433 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg https://seclists.org/bugtraq/2019/Aug/31 golang/go#29098	net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
XRAY-82071	CVE-2019-11888	9.8	go://github.com/golang/go:1.10.3	Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.	1.12.6 1.13beta1	go	Critical	2019-05-20	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3	2023-01-26	https://go-review.googlesource.com/c/go/+/176619	Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
XRAY-124116		9.8	alpine://3.15:openssl:1.1.1q-r0	OpenSSL crypto/rc5/rc5_skey.c RC5_32_set_key() Function Key Initialization Stack Buffer Overflow	3.0.0-r0	alpine	Critical	2020-09-10	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0/sha256__a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0.tar.gz alpine://3.15:openssl:1.1.1q-r0	2023-01-26	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17173	OpenSSL contains an overflow condition in the RC5_32_set_key() function in crypto/rc5/rc5_skey.c that is triggered as certain input is not properly validated when initializing encryption or decryption keys. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
XRAY-198036	CVE-2022-23806	9.1	go://github.com/golang/go:1.10.3	Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.	1.16.14 1.17.7	go	Critical	2022-02-14	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3	2023-01-26	https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html https://www.oracle.com/security-alerts/cpujul2022.html https://security.gentoo.org/glsa/202208-02 https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html https://security.netapp.com/advisory/ntap-20220225-0006/	Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

[oktalz]

@Gaethje thx for the info,
we will examine all of them carefully

from what I can tell tool is not working properly.

Most of the reported simply are false,
for example mentioning Go 1.12.6 is out of scope,
also some are windows related and this product is not being released on windows platform.
considering we released new version yesterday, I'm curious where did the tool get that information

also table headers are not visible here.

[dkorunic]

Hi, as mentioned old Go runtime issues don't really apply here (we are now building with Go 1.20) and curl CVE-s are pretty much out of scope since it's tool for optional testing/debugging and isn't actively used. On top of it, it's a vulnerability that wasn't addressed by upstream base image provider (Alpine) yet, packages haven't been built.

[Gaethje]

Hello @oktalz @dkorunic
Thanks for the update. Apologies we were not using the latest image that is the reason there were high number of issues. On the latest image we just found one issuewhich is coming from Alpine but this can be discarded. I will close the issue.

<style> </style>

Issue id	CVES	CVSS3 score	Vulnerable Component	Summary	Fixed versions	Package type	Severity	Published	Provider	Impacted Artifact	Path	Impact Path	Artifact Scan Time	References	Description
XRAY-124116		9.8	alpine://3.15:openssl:1.1.1t-r1	OpenSSL crypto/rc5/rc5_skey.c RC5_32_set_key() Function Key Initialization Stack Buffer Overflow	3.0.0-r0	alpine	Critical	2020-09-10	JFrog	docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.3	klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.3/	docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.3 generic://sha256:05578ff9d17401fca0be3b8f82079784169f93fd470335995538b70278aedfe9/sha256__05578ff9d17401fca0be3b8f82079784169f93fd470335995538b70278aedfe9.tar.gz alpine://3.15:openssl:1.1.1t-r1	2023-02-20	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17173	OpenSSL contains an overflow condition in the RC5_32_set_key() function in crypto/rc5/rc5_skey.c that is triggered as certain input is not properly validated when initializing encryption or decryption keys. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.