runner
runner copied to clipboard
actions
Docker Runner v2.300.0 has 1 critical and 6 high severity CVEs
Describe the bug
The GitHub Runner versions 2.299.1 and 2.300.0 (most recent versions at the time of writing) have 1 critical severity and 6 high severity CVEs found by Trivy security vulnerability scan.
To Reproduce Steps to reproduce the behavior:
- In a GitHub repository, under a directory named
github-runner, have the followingDockerfile:
The content ofFROM ubuntu:22.04 ARG GITHUB_RUNNER_VERSION="2.300.0" ENV GITHUB_OWNER "myorganization" ENV RUNNER_WORKDIR "_work" ENV TZ="Europe/London" ARG DEBIAN_FRONTEND="noninteractive" RUN apt-get update \ && apt-get install -y \ ca-certificates \ curl \ apt-transport-https \ lsb-release \ gnupg \ && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \ && AZ_REPO=$(lsb_release -cs) \ && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \ && apt-get update \ && apt-get install -y \ azure-cli \ iputils-ping \ sudo \ git \ unzip \ jq \ gh # Required by "hashicorp/setup-terraform" RUN curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash - \ && sudo apt-get install -y nodejs RUN apt-get clean \ && rm -rf /var/lib/apt/lists/* RUN adduser --uid 1000 --gecos "GitHub Runner" --disabled-password github-runner && \ echo 'github-runner ALL=(ALL) NOPASSWD:ALL' | sudo EDITOR='tee -a' visudo USER 1000 WORKDIR /home/github-runner # Install everything needed for the GitHub Action self-hosted-runner RUN curl -Ls https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz | tar xz RUN sudo ./bin/installdependencies.sh COPY ./scripts/*.sh /home/github-runner/scripts/ RUN sudo chmod +x /home/github-runner/scripts/*.sh COPY ./entrypoint.sh /home/github-runner/entrypoint.sh RUN sudo chmod +x /home/github-runner/entrypoint.sh ENV PATH="${PATH}:/home/github-runner/scripts" ENTRYPOINT ["/home/github-runner/entrypoint.sh"]entrypoint.shomitted for simplicity. - In the same repository, define the following GitHub Actions workflow (to be run on a GitHub-hosted runner, but to generate and vulnerability scan the Docker image for a self-hosted runner):
name: github-runner-pull-request on: workflow_dispatch: pull_request: branches: - master paths: - "github-runner/**" jobs: build-and-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Docker build run: docker build github-runner -t github-runner-pull-request:${{ github.sha }} - name: Scan image with Trivy uses: aquasecurity/trivy-action@master with: image-ref: github-runner-pull-request:${{ github.sha }} format: "table" exit-code: "1" ignore-unfixed: true # Ignore unfixable vuln-type: "os,library" severity: "CRITICAL,HIGH" - Dispatch this workflow manually (or raise a pull request triggering it).
- Read the vulnerability scan results.
Expected behavior
Expected zero HIGH or CRITICAL severity known, mitigatable vulnerabilities.
Runner Version and Platform
The GitHub-hosted runner generating the docker image and running the trivy scan:
Current runner version: '2.299.1'
Operating System
Ubuntu
22.04.1
LTS
Runner Image
Image: ubuntu-22.04
Version: 20221212.1
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20221212.1/images/linux/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20221212.1
Runner Image Provisioner
2.0.91.1
The (to be self-hosted) runner Docker image being generated, which has vulnerabilities:
FROM ubuntu:22.04
ARG GITHUB_RUNNER_VERSION="2.300.0"
What's not working?
The Trivy vulnerability scan seems to indicate that the GitHub Runner code being pulled in via the Dockerfile is vulnerable to the following known CVEs:
- NodeJS
- CVE-2021-3918 (CRITICAL,
json-schemaviapackage.json) - CVE-2022-3517 (HIGH,
minimatchviapackage.json) - CVE-2022-29244 (HIGH,
npmviapackage.json) - CVE-2022-24999 (HIGH,
qsviapackage.json)
- CVE-2021-3918 (CRITICAL,
- .NET
- CVE-2018-8292 (HIGH, from
dotnet-core) - CVE-2019-0980 (HIGH, from
dotnet-core) - CVE-2019-0981 (HIGH, from
dotnet-core)
- CVE-2018-8292 (HIGH, from
Job Log Output
The full run log: trivy_run_redacted.log.
See in particular:
2022-12-19T09:03:05.5617685Z ##[group]Run aquasecurity/trivy-action@master
2022-12-19T09:03:05.5617930Z with:
2022-12-19T09:03:05.5618248Z image-ref: github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66
2022-12-19T09:03:05.5618574Z format: table
2022-12-19T09:03:05.5618759Z exit-code: 1
2022-12-19T09:03:05.5618969Z ignore-unfixed: true
2022-12-19T09:03:05.5619191Z vuln-type: os,library
2022-12-19T09:03:05.5619404Z severity: CRITICAL,HIGH
2022-12-19T09:03:05.5619625Z scan-type: image
2022-12-19T09:03:05.5619827Z scan-ref: .
2022-12-19T09:03:05.5620022Z list-all-pkgs: false
2022-12-19T09:03:05.5620238Z ##[endgroup]
2022-12-19T09:03:05.5917896Z ##[command]/usr/bin/docker run --name f1f6e4627386490589e9ad5db0e66d6f_a8c603 --label 290506 --workdir /github/workspace --rm -e "INPUT_IMAGE-REF" -e "INPUT_FORMAT" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_SCAN-TYPE" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_TEMPLATE" -e "INPUT_OUTPUT" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SECURITY-CHECKS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/myrepository/myrepository":"/github/workspace" 290506:f1f6e4627386490589e9ad5db0e66d6f "-a image" "-b table" "-c " "-d 1" "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h " "-i github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66" "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v "
2022-12-19T09:03:05.8779410Z Running trivy with options: trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66
2022-12-19T09:03:05.8779960Z Global options:
2022-12-19T09:03:06.4183040Z 2022-12-19T09:03:06.417Z [34mINFO[0m Need to update DB
2022-12-19T09:03:06.4183586Z 2022-12-19T09:03:06.417Z [34mINFO[0m DB Repository: ghcr.io/aquasecurity/trivy-db
2022-12-19T09:03:06.4184045Z 2022-12-19T09:03:06.417Z [34mINFO[0m Downloading DB...
2022-12-19T09:03:09.2010984Z 24.59 MiB / 35.67 MiB [------------------------------------------>__________________] 68.95% ? p/s ?35.67 MiB / 35.67 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.67 MiB / 35.67 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 17.27 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [-------------------------------------------------] 100.00% 27.11 MiB p/s 1.5s2022-12-19T09:03:09.195Z [34mINFO[0m Vulnerability scanning is enabled
2022-12-19T09:03:09.2012904Z 2022-12-19T09:03:09.195Z [34mINFO[0m Secret scanning is enabled
2022-12-19T09:03:09.2013636Z 2022-12-19T09:03:09.195Z [34mINFO[0m If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-19T09:03:09.2014709Z 2022-12-19T09:03:09.195Z [34mINFO[0m Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-12-19T09:07:26.4147234Z 2022-12-19T09:07:26.414Z [34mINFO[0m Detected OS: ubuntu
2022-12-19T09:07:26.4147873Z 2022-12-19T09:07:26.414Z [34mINFO[0m Detecting Ubuntu vulnerabilities...
2022-12-19T09:07:26.4247603Z 2022-12-19T09:07:26.424Z [34mINFO[0m Number of language-specific files: 8
2022-12-19T09:07:26.4248646Z 2022-12-19T09:07:26.424Z [34mINFO[0m Detecting dotnet-core vulnerabilities...
2022-12-19T09:07:26.4332483Z 2022-12-19T09:07:26.432Z [34mINFO[0m Detecting node-pkg vulnerabilities...
2022-12-19T09:07:26.7336446Z 2022-12-19T09:07:26.732Z [34mINFO[0m Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
2022-12-19T09:07:26.7336810Z
2022-12-19T09:07:26.7338058Z github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66 (ubuntu 22.04)
2022-12-19T09:07:26.7407751Z ==================================================================================
2022-12-19T09:07:26.7408044Z Total: 0 (HIGH: 0, CRITICAL: 0)
2022-12-19T09:07:26.7408182Z
2022-12-19T09:07:26.7415817Z
2022-12-19T09:07:26.7416111Z Node.js (node-pkg)
2022-12-19T09:07:26.7416314Z ==================
2022-12-19T09:07:26.7416535Z Total: 4 (HIGH: 3, CRITICAL: 1)
2022-12-19T09:07:26.7417527Z
2022-12-19T09:07:26.7424863Z ┌────────────────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7425575Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7426313Z ├────────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7426993Z │ json-schema (package.json) │ CVE-2021-3918 │ CRITICAL │ 0.2.3 │ 0.4.0 │ nodejs-json-schema: Prototype pollution vulnerability │
2022-12-19T09:07:26.7428920Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3918 │
2022-12-19T09:07:26.7430059Z ├────────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7430966Z │ minimatch (package.json) │ CVE-2022-3517 │ HIGH │ 3.0.4 │ 3.0.5 │ nodejs-minimatch: ReDoS via the braceExpand function │
2022-12-19T09:07:26.7439476Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3517 │
2022-12-19T09:07:26.7440339Z ├────────────────────────────┼────────────────┤ ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7441424Z │ npm (package.json) │ CVE-2022-29244 │ │ 8.1.0 │ 8.11.0 │ nodejs: npm pack ignores root-level .gitignore and │
2022-12-19T09:07:26.7442305Z │ │ │ │ │ │ .npmignore file exclusion directives when... │
2022-12-19T09:07:26.7443012Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29244 │
2022-12-19T09:07:26.7443840Z ├────────────────────────────┼────────────────┤ ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7472731Z │ qs (package.json) │ CVE-2022-24999 │ │ 6.5.2 │ 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, │ express: "qs" prototype poisoning causes the hang of the │
2022-12-19T09:07:26.7473477Z │ │ │ │ │ 6.10.3 │ node process │
2022-12-19T09:07:26.7474060Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24999 │
2022-12-19T09:07:26.7474788Z └────────────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7475016Z
2022-12-19T09:07:26.7475247Z home/github-runner/bin/Runner.Common.deps.json (dotnet-core)
2022-12-19T09:07:26.7475560Z ============================================================
2022-12-19T09:07:26.7475798Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7475941Z
2022-12-19T09:07:26.7476511Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7477063Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7477710Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7478280Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7478821Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7479320Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7480037Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7480594Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7481131Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7481618Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7482173Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7482698Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7483233Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7483722Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7484317Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7484523Z
2022-12-19T09:07:26.7484759Z home/github-runner/bin/Runner.Listener.deps.json (dotnet-core)
2022-12-19T09:07:26.7485063Z ==============================================================
2022-12-19T09:07:26.7485284Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7485426Z
2022-12-19T09:07:26.7485837Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7486456Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7487101Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7487648Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7488192Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7488698Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7489280Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7489917Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7490433Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7490930Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7491481Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7492001Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7492508Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7493002Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7493611Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7493813Z
2022-12-19T09:07:26.7494058Z home/github-runner/bin/Runner.PluginHost.deps.json (dotnet-core)
2022-12-19T09:07:26.7494357Z ================================================================
2022-12-19T09:07:26.7494588Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7494739Z
2022-12-19T09:07:26.7495146Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7495748Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7496434Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7496992Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7497532Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7498045Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7498619Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7499204Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7499737Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7500238Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7500771Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7501289Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7501800Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7502365Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7502970Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7503174Z
2022-12-19T09:07:26.7503413Z home/github-runner/bin/Runner.Plugins.deps.json (dotnet-core)
2022-12-19T09:07:26.7503720Z =============================================================
2022-12-19T09:07:26.7503953Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7504096Z
2022-12-19T09:07:26.7504494Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7505031Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7505749Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7506309Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7506836Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7507339Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7507927Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7508477Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7509063Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7509544Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7510094Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7510610Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7512604Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7513226Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7513859Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7514107Z
2022-12-19T09:07:26.7514331Z home/github-runner/bin/Runner.Sdk.deps.json (dotnet-core)
2022-12-19T09:07:26.7514624Z =========================================================
2022-12-19T09:07:26.7514842Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7514982Z
2022-12-19T09:07:26.7515395Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7515935Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7516588Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7517216Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7517750Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7518261Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7518849Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7519401Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7519931Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7520439Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7520986Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7521503Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7521991Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7522478Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7523212Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7523422Z
2022-12-19T09:07:26.7523657Z home/github-runner/bin/Runner.Worker.deps.json (dotnet-core)
2022-12-19T09:07:26.7523945Z ============================================================
2022-12-19T09:07:26.7524177Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7524319Z
2022-12-19T09:07:26.7524730Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7525264Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7525889Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7526481Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7527022Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7527530Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7528099Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7528650Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7529184Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7529773Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7530316Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7530831Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7531335Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7531821Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7532417Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7532699Z
2022-12-19T09:07:26.7532906Z home/github-runner/bin/Sdk.deps.json (dotnet-core)
2022-12-19T09:07:26.7533178Z ==================================================
2022-12-19T09:07:26.7533405Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7533545Z
2022-12-19T09:07:26.7533940Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7534476Z │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
2022-12-19T09:07:26.7535112Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7535668Z │ System.Net.Http │ CVE-2018-8292 │ HIGH │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
2022-12-19T09:07:26.7536224Z │ │ │ │ │ │ information exposed in a redirect... │
2022-12-19T09:07:26.7536734Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
2022-12-19T09:07:26.7537319Z ├────────────────────┼───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7537866Z │ System.Private.Uri │ CVE-2019-0980 │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
2022-12-19T09:07:26.7538375Z │ │ │ │ │ │ Core Denial of Service... │
2022-12-19T09:07:26.7538926Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
2022-12-19T09:07:26.7539490Z │ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7540009Z │ │ CVE-2019-0981 │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7540518Z │ │ │ │ │ │ Denial of Service │
2022-12-19T09:07:26.7540990Z │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
2022-12-19T09:07:26.7541600Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.9022909Z Post job cleanup.
Suggested solution
Implement automated vulnerability scans of your own GitHub Runner code, and ensure any CRITICAL or HIGH severity CVEs which can be mitigated are mitigated before a new version is released.
Somewhat related issues, also mentioning CVEs in the runner: https://github.com/actions/runner/issues/2145, https://github.com/actions/runner/issues/1869, https://github.com/actions/runner/issues/1886.
Almost all of these vulnerabilities (except CVE-2022-29244) are still present in new runner version 2.301.1.
Hi @TingluoHuang is this being addressed? Fixing the CVE's should be fixed regardless of the suggested solutions..
Is there an intent to implement something like the suggested solution here? Should not be very hard to add to the repository. Additionally - is this something you want contributions for, or work out internally?
In the most recent version, 2.302.1, the following vulnerabilities were introduced:
- Linux packages (github-runner-pull-request:ddb9e6e2f78c54c0f7a5cb3817d48d1e4cddddd1 (ubuntu 22.04))
- CVE-2023-0286 (HIGH,
libssl3)
- CVE-2023-0286 (HIGH,
- NodeJS
- CVE-2022-25881 (HIGH,
http-cache-semanticsviapackage.json)
- CVE-2022-25881 (HIGH,
None of the previous CVEs were mitigated.
It looks like most, if not all, of the NPM vulnerabilities are not an issue. Either they were false-positives or they've been fixed, because I don't see any reference to http-cache-semantics, json-schema, npm, or qs in either package.json or package-lock.json file.
And, while minimatch is in the lock file, it's not subject to https://github.com/advisories/GHSA-f8q6-p94x-37v3 because it does not meet the version-range criteria (v3.1.2 > v3.0.5).
So, unless I missed something, I think it's safe to ignore those JS CVEs.
@mario-campos Even if they are false positives though, every GitHub consumer running their own self-hosted GitHub runners will run into these same issues. Even the most recent version 2.309.0 has 4 CVEs, all in .NET: the same 3 as originally reported here 9 months ago, and additionally CVE-2019-0820 (HIGH severity, from dotnet-core).
┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Net.Http │ CVE-2018-8292 │ HIGH │ fixed │ 4.3.0 │ 4.3.4 │ .NET Core: information disclosure due to authentication │
│ │ │ │ │ │ │ information exposed in a redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-8292 │
├────────────────────────────────┼───────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Private.Uri │ CVE-2019-0980 │ │ │ │ 4.3.2 │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net │
│ │ │ │ │ │ │ Core Denial of Service... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0980 │
│ ├───────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-0981 │ │ │ │ │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
│ │ │ │ │ │ │ Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0981 │
├────────────────────────────────┼───────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ │ │ │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
All of these CVEs seem mitigable simply by bumping version numbers. Doing so would absolve all GitHub consumers attempting to run self-hosted runners from investigating these same CVEs, which aggregated across all of us is currently a huge and unproductive time drain.
