containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon bitnami

Potential vulnerability in Postgres CVE-2023-45853 zlib

Open ohadpinch opened this issue 1 year ago • 1 comments

Name and Version

bitnami/postgresql

What architecture are you using?

None

What steps will reproduce the bug?

During a recent scan of several images, I identified a potential vulnerability, CVE-2023-45853, which affects zlib versions up to 1.3. I would appreciate it if you could verify whether this vulnerability impacts the following images:

bitnami/postgresql:15.5.0-debian-11-r15 bitnami/postgresql-repmgr:16.2.0-debian-12-r4 bitnami/pgpool:4.5.0-debian-12-r9 bitnami/postgres-exporter:0.15.0-debian-11-r3

Thanks, Ohad

ohadpinch avatar May 02 '24 14:05 ohadpinch

I understand your concern regarding security vulnerabilities. While we regularly update our images with the latest system packages, certain CVEs may persist until they are patched in either the OS or the application. You can learn more about our CVE policy here.

This vulnerability is not fixed by the OS, you can check that by using the --ignore-unfixed in the scanner:

$ trivy image bitnami/postgresql:15.5.0-debian-11-r15 --ignore-unfixed | grep '2023-45853'
2024-05-03T09:08:46.890+0200	INFO	Vulnerability scanning is enabled
2024-05-03T09:08:46.890+0200	INFO	Secret scanning is enabled
2024-05-03T09:08:46.890+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-03T09:08:46.890+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-05-03T09:08:48.849+0200	INFO	Detected OS: debian
2024-05-03T09:08:48.849+0200	INFO	Detecting Debian vulnerabilities...
2024-05-03T09:08:48.866+0200	INFO	Number of language-specific files: 2
2024-05-03T09:08:48.866+0200	INFO	Detecting bitnami vulnerabilities...
2024-05-03T09:08:48.868+0200	INFO	Detecting jar vulnerabilities...

VS

$ trivy image bitnami/postgresql:15.5.0-debian-11-r15 | grep '2023-45853'
2024-05-03T09:09:07.941+0200	INFO	Vulnerability scanning is enabled
2024-05-03T09:09:07.942+0200	INFO	Secret scanning is enabled
2024-05-03T09:09:07.942+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-03T09:09:07.942+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-05-03T09:09:09.380+0200	INFO	Detected OS: debian
2024-05-03T09:09:09.380+0200	INFO	Detecting Debian vulnerabilities...
2024-05-03T09:09:09.400+0200	INFO	Number of language-specific files: 2
2024-05-03T09:09:09.400+0200	INFO	Detecting bitnami vulnerabilities...
2024-05-03T09:09:09.401+0200	INFO	Detecting jar vulnerabilities...
│ zlib1g             │ CVE-2023-45853      │ CRITICAL │ will_not_fix │ 1:1.2.11.dfsg-2+deb11u2 │                     │ zlib: integer overflow and resultant heap-based buffer       │
│                    │                     │          │              │                         │                     │ https://avd.aquasec.com/nvd/cve-2023-45853                   │

If you have any further questions, feel free to ask.

carrodher avatar May 03 '24 07:05 carrodher

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar May 19 '24 01:05 github-actions[bot]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

github-actions[bot] avatar May 25 '24 01:05 github-actions[bot]