Skip to content

[ERROR] [email protected] package contains security issues #1477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
marcossv9 opened this issue Nov 17, 2022 · 13 comments
Closed

[ERROR] [email protected] package contains security issues #1477

marcossv9 opened this issue Nov 17, 2022 · 13 comments
Assignees
@riosje
Labels
Type: Bug

Comments

@marcossv9
Copy link

Describe your bug
We have found two security issues regarding nodejs deb package while scanning container using snyk tool.

That's because we use latest ubuntu container as base, and then we install nodejs using:

RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
    && apt-get install -y nodejs

Distribution Information:

  • OS: Ubuntu
  • Version: 22.04
  • Other info if applicable: Docker image

Node Version:

  • Node: v16.18.1

To Reproduce
Steps to reproduce the behavior:

snyk container test <our_ubuntu22:04_based_container> --policy-path=.snyk --severity-threshold=high

Testing <our_ubuntu22:04_based_container>...

✗ High severity vulnerability found in nodejs
  Description: Loop with Unreachable Exit Condition ('Infinite Loop')
  Info: https://snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2775540
  Introduced through: [email protected]
  From: [email protected]
  Image layer: 'apt-get install -y nodejs'

✗ High severity vulnerability found in nodejs
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2782481
  Introduced through: [email protected]
  From: [email protected]
  Image layer: 'apt-get install -y nodejs'



Organization:      myorg
Package manager:   deb
Project name:      docker-image|<our_ubuntu22:04_based_container>
Docker image:      <our_ubuntu22:04_based_container>
Platform:          linux/amd64
Base image:        ubuntu:22.04
Local Snyk policy: found
Licenses:          enabled

Tested 264 dependencies for known issues, found 2 issues.

According to our scan, you are currently using the most secure version of the selected base image

Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection

Expected behavior
After we run snyk container test command, the nodejs package should not contain any security issue.

Additional context
There is no updated deb package for that version of nodejs, so we can't install a patched version of it.
Please see the available deb versions here

https://security.snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2782481
https://security.snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2775540
@marcossv9
Copy link
Author

Any updates on this security issue?

@riosje riosje self-assigned this Nov 29, 2022
@riosje
Copy link
Contributor

riosje commented Dec 13, 2022

Hi guys we were checking if it was a false-positive, but it looks like those vulns affect all versions of Node.
We highly suggest you to report this vulnerabilities on https://github.com/nodejs/node

@riosje riosje closed this as completed Dec 13, 2022
@marcossv9
Copy link
Author

Hi guys we were checking if it was a false-positive, but it looks like those vulns affect all versions of Node. We highly suggest you to report this vulnerabilities on https://github.com/nodejs/node

Hey @riosje thanks for your response. I did that but the team closed my issue saying that it has to be opened here. See this link for details nodejs/node#45499 (comment)

@riosje riosje reopened this Dec 13, 2022
@riosje
Copy link
Contributor

riosje commented Dec 13, 2022

Hi @marcossv9 let me discuss this internally.

thanks.

@Whobeu
Copy link

Whobeu commented Dec 19, 2022

Just an FYI: Node.js v16.19.0 dropped last week on the 14th but not yet available here. Maybe the problem is solved in this latest release.

@riosje
Copy link
Contributor

riosje commented Dec 20, 2022

Hi @Whobeu if you use the script https://deb.nodesource.com/setup_16.x you can install the latest version (16.19.0), but unfortunately the vulns are still there.
I'm doing several tests because the vulnerabilities change depending of the base image.

For example with Ubuntu you get this vulns.
image

With Debian you get this one
image

@riosje
Copy link
Contributor

riosje commented Dec 20, 2022

@marcossv9 @Whobeu you can use ubuntu-20.04 with node 16.19.0
I think some of those vulns are directly related to the OS version, Also I think there might be some false-positives findings from the snyk scanner.

Testing vuln-validation...

Organization:      
Package manager:   deb
Project name:      docker-image|vuln-validation
Docker image:      vuln-validation
Platform:          linux/amd64
Base image:        ubuntu:20.04
Licenses:          enabled

✔ Tested 158 dependencies for known issues, no vulnerable paths found.

Base Image    Vulnerabilities  Severity
ubuntu:20.04  9                0 critical, 0 high, 1 medium, 8 low

Recommendations for base image upgrade:

Major upgrades
Base Image      Vulnerabilities  Severity
ubuntu:rolling  6                0 critical, 0 high, 1 medium, 5 low

image

@riosje
Copy link
Contributor

riosje commented Dec 20, 2022

After all performed tests we can conclude those vulns are not directly associated with the Nodejs deb/rpm packages distributed by NODESOURCE.

@riosje riosje closed this as completed Dec 20, 2022
@marcossv9
Copy link
Author

Thanks for taking the time of digging into this issue @riosje.
Unfortunately, we don't want to go back to Ubuntu 20.04. We prefer to keep using latest Ubuntu version (or almost the latest one).
This is very weird, so snyk is saying that [email protected] package is the one vulnerable... let me open a support ticket with snyk, so they can check internally if it is or not a false positive.
I'll update this thread once I get an answer from them.

@riosje
Copy link
Contributor

riosje commented Dec 20, 2022

@marcossv9 let's check this test case.

NodeJS Version Base Image
16.19.0 ubuntu:22.04

Dockerimage

FROM ubuntu:22.04
RUN apt-get update -y && apt-get upgrade -y && apt-get install -y curl && curl -fsSL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs

When you run the scan you will get this vulnerability -> NULL Pointer Dereference | CVE-2022-0778

All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k
It means or i understand that version 1.1.1k or higher is not vulnerable.

If you check the openssl version on this build of node is 1.1.1s

root@4825eaa93942:/# node -e 'console.log(process.versions)' | grep openssl
  openssl: '1.1.1s+quic',

so, it is supposed the versions higher than 1.1.1k are not vulnerable with this, for this reason I think about the false-positives from snyk.

@Whobeu
Copy link

Whobeu commented Dec 20, 2022

@marcossv9 @Whobeu you can use ubuntu-20.04 with node 16.19.0 I think some of those vulns are directly related to the OS version, Also I think there might be some false-positives findings from the snyk scanner.

Thanks. I periodically check https://deb.nodesource.com/node_16.x/pool/main/n/nodejs/ to see when the latest build appears and I did not see 16.19.0. Checked this morning and it has appeared with a date of Dec 19 so it was timing on my part.

@marcossv9
Copy link
Author 

node -e 'console.log(process.versions)' | grep openssl

Thanks @riosje. I've tested it and now I can get your point.
I'll follow up with Snyk Support to see what I can get.

@ejramirezdev
Copy link

I cant update to 16.19.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@riosje riosje

Labels
Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Whobeu @marcossv9 @riosje @ejramirezdev