pyup.io-43366 (CVE-2021-43818) Vulnerability in base image for docker

Question

I have a docker base image when uploaded to quay image repository give the vulnerability pyup.io-43366 (CVE-2021-43818).

The base image is

FROM quay/registry.redhat.io/rhel7:latest
MAINTAINER Me

LABEL description="Application runtime image" \
      name="Image name" \
      version="1.0"

ENV LANG en_US.UTF-8

RUN yum-config-manager  \
    && yum -y install java-11-openjdk \
    && yum -y clean all
CMD ["/bin/bash"]

Is there any way I can overcome this vulnerability?

Do you have the latest version of `quay/registry.redhat.io/rhel7:latest` before building image locally? ("`$ docker pull quay/registry.redhat.io/rhel7:latest`) - to ensure all known patches are applied — Mika Vatanen, Apr 15 '22 at 09:34
@SyedIftekharuddin To be clear, the tag I suggest in [my answer below](https://stackoverflow.com/a/71912575/6309) is one you would build yourself. A image which would include the right version of the reported vulnerable library. — VonC, Apr 23 '22 at 11:22

score 3 · Answer 1 · answered Apr 19 '22 at 22:36

Red Hat provides this information describing how the issue affects different products versions.

As described in the aforementioned link, it seems that no mitigation is provided:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

In the specific use case of Red Hat Enterprise Linux 7, they indicate the product is "Out of support scope":

When a product is listed as "Out of Support Scope", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. The product should be assumed to be affected. Customers are advised to apply any mitigation options documented on this page, consider removing or disabling the impacted component, or upgrade to a supported version of the product that has an update available.

This may explain, as VonC indicated in his question, why Grype doesn't report the problem.

If you need your image just for running Java, one thing you could try is removing the dependency, but I am afraid it is required by other libraries, so probably it will not work.

Please, take my words with caution because it entirely depends on your actual use case, but you may "safely" use your image as well. From the cited docs again:

This flaw is rated as Moderate because code execution is limited to the web browser scope.

In fact, Red Hat itself provides similar images with the same problem.

Finally, if using Red Hat is not a strict requirement, you can choose another different Java distribution like OpenJDK or AdoptOpenJDK. For example:

docker pull openjdk:11.0.14.1-jdk

score 1 · Answer 2 · answered Apr 18 '22 at 13:41

1

"stop using latest" -- "what tag should I give?"

First, you can list tags from rhel7, using the regclient project from Brandon Mitchell (sudo-bmitch, top contributor on Stack Overflow), with:

alias dr='docker run -it --rm'
# on Windows
dockey dr=docker run -it --rm $*


dr regclient/regctl:latest tag ls registry.access.redhat.com/rhel7|\ 
  grep -Ev (source|[0-9][0-9][0-9][0-9])

(on Windows: grep -Ev (source^|[0-9][0-9][0-9][0-9]): note the ^)

Second, I do not see CVE-2021-43818 in latest, using anchore/grype

docker run anchore/grype:latest registry.access.redhat.com/rhel7:latest | grep 2021

The closest is CVE-2021-3541, a flaw was found in libxml2-python.

In your case, considering Lxml 4.6.5 includes a fix for CVE-2021-43818, you would need an image with Lxml 4.6.5+.

If that image does not exist yet, you could docker build your own starting FROM registry.access.redhat.com/rhel7:7.9, and adding the right libxml.
And publish it to Quay.

answered Apr 18 '22 at 13:41

VonC

1,262,500
529
4,410
5,250

I am new to docker, could you please provide some sample code that I can use. – Syed Iftekharuddin Apr 28 '22 at 21:01
@SyedIftekharuddin Sure: you can find [examples here](https://stackoverflow.com/a/66295358/6309) of a Dockerfile installing `py-lxm`. – VonC Apr 29 '22 at 07:01
I cannot use docker local in my company. I just have teamcity build for docker. Could you please suggest something that I can run using teamcity. – Syed Iftekharuddin May 07 '22 at 13:01
@SyedIftekharuddin What docker environment do you have access to, in order to start building your own docker image? – VonC May 07 '22 at 13:21
Its prohibited on company laptop to install docker. they just provided with teamcity where I usually build the image. – Syed Iftekharuddin May 07 '22 at 13:24
@SyedIftekharuddin I am with you on that one (Jenkins for me, not TeamCity): no Docker on company laptop indeed. Do you have access to a VDI or other remote server where Docker could be installed? – VonC May 07 '22 at 13:27
I have VDI, I usually dont use it, I checked just now. I cannot install docker on VDI as well. – Syed Iftekharuddin May 07 '22 at 13:41
Figures... same here (although I might get one where I am allowed to "experiment"!) In the meantime, if this is a public image, you could build it on a personal computer and publish it to https://hub.docker.com/. – VonC May 07 '22 at 13:43
This image is on our company's quay repository, I am not sure this will be public? – Syed Iftekharuddin May 07 '22 at 13:45
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/244575/discussion-between-vonc-and-syed-iftekharuddin). – VonC May 07 '22 at 13:46
Hi @VonC shall we please continue on this topic – Syed Iftekharuddin Jul 28 '22 at 21:44
@SyedIftekharuddin Sure. It would be better if you can add a separate question, in order for me or any other contributor to continue on this topic. – VonC Jul 28 '22 at 22:11

pyup.io-43366 (CVE-2021-43818) Vulnerability in base image for docker

2 Answers2