Node official images vulnerabilities

[westy92]

As seen here, an overwhelming majority of the official node images contain vulnerabilities. Can these please get addressed?

[yosifkit]

Usually most vulnerabilities listed on the Docker Hub are unable to be fixed since there is not an updated package available via the package manager. Let's go down a few of the list of vulnerabilities in latest, 7, 7.7, 7.7.2 and see if they can be fixed:

debian:jessie base image vulnerabilities (first 2 layers):

• https://security-tracker.debian.org/tracker/CVE-2014-9761, marked as a "Minor issue" by the Debian Security team so not fix available
• https://security-tracker.debian.org/tracker/CVE-2016-5417, marked as "not-affected" by Debian Security "glibc (Introduced in 2.22)"
• https://security-tracker.debian.org/tracker/CVE-2016-10228, marked as a "Minor issue" by the Debian Security team so not fix available
• https://security-tracker.debian.org/tracker/CVE-2016-7545, "not-affected"
• https://security-tracker.debian.org/tracker/CVE-2016-10156, "not-affected"
• https://security-tracker.debian.org/tracker/CVE-2015-3217, "Minor issue"
• https://security-tracker.debian.org/tracker/CVE-2016-9401, "Minor issue"
• https://security-tracker.debian.org/tracker/CVE-2016-2781, "Minor issue"

Layers in buildpack-deps:jessie (next 3 layers):

• https://security-tracker.debian.org/tracker/CVE-2015-5922, "NOT-FOR-US: Apple"
• https://security-tracker.debian.org/tracker/CVE-2016-4802, "Windows only"
• https://security-tracker.debian.org/tracker/CVE-2016-3739, "only relevant when built with mbedTLS/PolarSSL"
• https://security-tracker.debian.org/tracker/CVE-2016-7098, "Minor issue"
• https://security-tracker.debian.org/tracker/CVE-2017-6508, "Minor issue"
• https://security-tracker.debian.org/tracker/CVE-2016-6702, "Android-specific patch"
• https://security-tracker.debian.org/tracker/CVE-2016-4448, "Minor impact; too intrusive to backport"
• https://security-tracker.debian.org/tracker/CVE-2016-9318, "Minor issue"
• https://security-tracker.debian.org/tracker/CVE-2015-6837, php issue when using "libxml2 before 2.9.2" (node image doesn't contain php; no php available in Debian Jessie is unfixed; in the php images, none of the php is old enough to be vulnerable)

I would guess that most of the other vulnerabilities in the buildpack-deps layers will have similar descriptions since the Debian images and all dependent images were built just 2 weeks ago. Skipping down to vulnerabilities in the node layers

Layers of node:7.7.2

• CVE-2016-5180, seems to come from c-ares that is built within node itself, but it was patched directly in node with [CVE-2016-5180] ares_create_query: avoid single-byte buffer overwrite nodejs/node#8849, so I'm not sure why it is still detected as vulnerable

[westy92]

Thank you for the extensive explanation! As far as the node:7.7.2 layer vulnerability, maybe the scanner is looking at the library version which doesn't reflect the patch as mentioned here: nodejs/node#11728

As stated above,

https://security-tracker.debian.org/tracker/CVE-2014-9761, marked as a "Minor issue" by the Debian Security team so not fix available

However, as you can see here, it's marked as Critical.

Is this discrepancy due to a different source of severity information?

[yosifkit]

Yeah, the "Critical" is based purely on the CVSS score of 9.8. Minor is what the Debian Security team have classified it for their security release process in order to allocate resources effectively in porting security fixes across all packages.