Reputation: 3171
How do I remediate a critical vulnerability in my Docker image?
My Dockerfile is pretty simple, code below. It is an Angular App. Once I merge the code to my main branch CodePipeline takes over, CodeBuild will build the image and push to ECR and CodeDeploy will use that image to deploy the ECS Fargate tasks. Everything works fine. But this image has 1 critical vulnerability. CVE-2021-22945 - curl
node14:14182alpine312 is basically built from
FROM node:14.18.2-alpine3.12,
nginx:latest is built from FROM nginx:latest.
FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/node14:14182alpine312 as builder
WORKDIR /app
COPY ./hello-world-web/ /app/
RUN apk add --no-cache git
RUN npm install
RUN npm run build
FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/nginx:latest
COPY --from=builder /app/dist/hello-world-web /usr/share/nginx/html
COPY --from=builder /app/nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80
The tool that scans ECR Repo mentions the vulnerability is in Layer 0. Can I run any script while building the image that would fix this. Individually the node and nginx image does not have this critical vulnerability. It seems like it could be introduced when npm install is run. Any help to remediate this is much appreciated.
Upvotes: 3
Views: 4463
Answers (2)
Reputation: 303
If it is pre-installed software and libraries, an apk update command may work. Ideally, you would be in a bit of better control, and tell apk to install a specific update, by saying e.g.
apk add "your_package_name>=VERSION-SUFFIX"
Needless to say, you may run into dependency hell, but in my experience, that happens rarely.
Also, if you are security conscientious, I would suggest to also not just look for security holes wrt. outdated images, but also wrt. configurations. I see an Nginx being used there, and to follow e.g. CIS benchmarks is also recommended.
Upvotes: 0
Reputation: 3667
I see that libcurl is pulled in by apk add git (click "depends"): https://pkgs.alpinelinux.org/package/edge/main/x86/git
But on alpine 3.12 the libcurl version is 7.79.1 which is not affected by the CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-22945
Maybe run apk update before apk add and see if it pulls in the right version?
Upvotes: 1
Related Questions
- How to repair docker or reinstall it?
- Docker -- tried to fix issue, made it much worse
- Fixing security vulnerabilities in docker image
- pyup.io-43366 (CVE-2021-43818) Vulnerability in base image for docker
- Docker - centos:7 kernel-header 3.10.0 vulnerabilities -> what to do?
- Running docker securely
- Docker security check
- Security of a Docker image
- Docker Security issue around ENTRYPOINT
- How do I deal with security updates in Docker images?