NginxProxyManager
Security problems. Many critical vulnerabilities
Checklist
- Have you pulled and found the error with
jc21/nginx-proxy-manager:latestdocker image?- Yes / No
- Are you sure you're not using someone else's docker image?
- Yes / No
- Have you searched for similar issues (both open and closed)?
- Yes / No
Describe the bug
Hello! I checked for vulnerabilities through the containercve.com service. I was very surprised to see more than 400, many of them critical (>9.0). Please correct.
Nginx Proxy Manager Version
2.11.1
To Reproduce Steps to reproduce the behavior:
- Go to https://containercve.com
- Paste "jc21/nginx-proxy-manager:2.11.1" and click "Scan"
- See report
Expected behavior
Screenshots
Operating System
Additional context
You gotta keep in mind that some of these vulnerabilities are not applicable most of the time e.g. the container has the lib installed but it's not used.
glib for instance notes:
NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.
Shouldn't these just be uninstalled then so that there aren't false positives?
@Shocktrooper Shouldn't these just be uninstalled then so that there aren't false positives?
The container is based upon another project the maintainer has ongoing. https://github.com/NginxProxyManager/docker-nginx-full
Base container appears to be debian:bookworm-slim and then it gets layered upon with these other dockerfiles building upon eachother:
https://github.com/NginxProxyManager/docker-nginx-full/tree/master/docker
There are 76 vulnerabilities in the original debian:bookworm-slim image, meaning the toolchains installed in the subsequent layered docker files are also introducing many vulnerabilities.
The easiest route to solving some of this is use a thinner image, as well as assess if the tool chains are required in the final image or only for initial build and a seperate image should be used for production.
For example a bunch of go-lang tools are being installed in this layer which might not be needed in prod image.
Hmm, during release tagging you could also remove certain layers.
It would be great to have a version with alpine as the base image
Agreed, that's basically the go to image for thin/minimal. There are a few better options now a days, but for arch portability that's the best answer
@ISnotes
Found this upon further review https://github.com/NginxProxyManager/docker-nginx-full/issues/9#issuecomment-1286249396
Apparently this originated on Alpine at one point.
Sidw note, the image building process isnt as complex as I first thought which is good.
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1011
Some of the history jc21 was mentioning in the discussion I posted a few comments back
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1141#issuecomment-870243651
Alpine is used in most of the most popular projects, and suddenly it is "unreliable". Suspiciously
I'm interested in getting some updated feedback from @jc21 on that comment, I wouldn't mind undertaking the effort of getting this back to a more secure image if I know the decisions/history on that.
@jc21 I linked the most relevant threads on this topic, do you remember some of the ideas behind the decision to move away from alpine?
i cant use this image in production when there are so many vulnerabilities. Please dear @jc21 team, try to fix it
I Agree that this image is unusable everywhere, where Security is very Important. Additionally the image is far too big for what it is.
But both points are gonna be solved with v3 mostly. So the Future is looking great! I don't think jc21 needs to waste his time here, as he is already working on it.
Cheers
But both points are gonna be solved with v3 mostly. So the Future is looking great! I don't think jc21 needs to waste his time here, as he is already working on it.
Is this documented anywhere, or how do you know this information?
But both points are gonna be solved with v3 mostly. So the Future is looking great! I don't think jc21 needs to waste his time here, as he is already working on it.
Is this documented anywhere, or how do you know this information?
Searched here in the issues around and everything jc21 wrote. I had initially the same concerns, so i was interested either. But dont remember now where exactly, i had to post links :-(
However, as far i've seen he isn't happy about the huge image, but don't want to use alpine linux either. I don't remember what he want to use tbh, but he mentioned it somewhere.
There is already a image, but not sure if its working, at least its half as small as the current v2 images: https://hub.docker.com/layers/jc21/nginx-proxy-manager/v3/images/sha256-858a3be38a605b3af148d6eb42ff7bbbea668b51d7e9ad16294386a20c283f1f?context=explore In the Changes of the v3 branch in github is mentioned that the Admin UI switches to Chakra UI... It will be entirely go based or something like that, ugh i dont want to spread wrong information, i simply dont remember :-(
But it looks to me, like v3 will take still a long time. Seems to be simply like a lot of work, and if a lot of work is involved the motivation suffers, so i dont expect anything soon.
Cheers