Python vulnerabilities in ubuntu images

[redbmk]

During a security audit on some images we're using, some packages got flagged as high and critical. I'm looking specifically at kasmweb/firefox:1.13.1 but a lot are coming from the base, core-ubuntu-focal, so this likely applies to quite a few images.

❯ docker scout quickview kasmweb/firefox:1.13.1
    ✓ SBOM of image already cached, 1577 packages indexed

  Your image  kasmweb/firefox:1.13.1            │    1C     8H   134M   100L     1?   
  Base image  kasmweb/core-ubuntu-focal:1.13.1  │                                     

What's Next?
  Learn more about vulnerabilities → docker scout cves kasmweb/firefox:1.13.1
  
❯ docker scout quickview kasmweb/firefox:1.13.1-rolling
    ✓ SBOM of image already cached, 1577 packages indexed

  Your image  kasmweb/firefox:1.13.1-rolling            │    1C     8H    80M    86L     1?   
  Base image  kasmweb/core-ubuntu-focal:1.13.1-rolling  │                                     

What's Next?
  Learn more about vulnerabilities → docker scout cves kasmweb/firefox:1.13.1-rolling

Most of these are fixed in the -rolling version, (especially CVEs that have a fix) but there are still a few left over that seem to be coming from some python packages. I haven't been able to track down where they're getting installed.

(just showing the overview for brevity)

❯ docker scout cves --only-fixed kasmweb/firefox:1.13.1-rolling
    ✓ SBOM of image already cached, 1577 packages indexed
    ✗ Detected 9 vulnerable packages with a total of 20 vulnerabilities


## Overview

                    │           Analyzed Image            
────────────────────┼─────────────────────────────────────
  Image reference   │  kasmweb/firefox:1.13.1-rolling     
                    │  8ff7203e0654                       
    platform        │ linux/amd64                         
    vulnerabilities │    1C     8H     6M     4L     1?   
    size            │ 2.7 GB                              
    packages        │ 1577                                

and a little more detail on which package have issues:

❯ docker scout cves --only-fixed kasmweb/firefox:1.13.1-rolling | grep pkg:
    ✓ SBOM of image already cached, 1577 packages indexed
    ✗ Detected 9 vulnerable packages with a total of 20 vulnerabilities
pkg:pypi/[email protected]
pkg:pypi/[email protected]
pkg:pypi/[email protected]
pkg:pypi/[email protected]
pkg:pypi/[email protected]
pkg:pypi/[email protected]
pkg:pypi/[email protected]
pkg:deb/ubuntu/[email protected]~dfsg-5ubuntu4.8?os_distro=focal&os_name=ubuntu&os_version=20.04
pkg:pypi/[email protected]

[redbmk]

I tried creating a new docker image with root access to play around with it (e.g. install pip to do a pip freeze and see what's in there). One thing I noticed when running apt update was that a bunch of packages, including many of the ones that are listed as vulnerable (e.g. python3-oauthlib), say they're no longer needed:

The following packages were automatically installed and are no longer required:
  ...a bunch more lines
  plymouth-theme-ubuntu-text poppler-data poppler-utils ppp pptp-linux pulseaudio pulseaudio-module-bluetooth pulseaudio-utils python3-apport python3-aptdaemon python3-blinker python3-cairo python3-cffi-backend
  python3-cryptography python3-cups python3-cupshelpers python3-defer python3-distro python3-entrypoints python3-httplib2 python3-ibus-1.0 python3-jwt python3-keyring python3-launchpadlib python3-lazr.restfulclient
  python3-lazr.uri python3-ldb python3-macaroonbakery python3-nacl python3-oauthlib python3-problem-report python3-protobuf python3-psutil python3-pymacaroons python3-rfc3339 python3-secretstorage python3-simplejson
  python3-systemd python3-talloc python3-tz python3-wadllib python3-xdg rtkit rygel samba-libs sane-utils session-migration sgml-base sgml-data switcheroo-control system-config-printer-udev tango-icon-theme thunar
  thunar-data thunar-volman tumbler tumbler-common ubuntu-touch-sounds ubuntu-wallpapers ubuntu-wallpapers-focal udev udisks2 unity-greeter unity-gtk-module-common unity-gtk2-module unity-gtk3-module unity-settings-daemon
  unity-settings-daemon-schemas unzip update-inetd upower usb-modeswitch usb-modeswitch-data usb.ids usbmuxd wamerican whoopsie-preferences wireless-regdb wpasupplicant x11-apps x11-session-utils x11-xserver-utils
  xdg-dbus-proxy xfce4-appfinder xfce4-notifyd xfce4-pulseaudio-plugin xfce4-session xfce4-settings xfdesktop4 xfdesktop4-data xfonts-base xfonts-encodings xfonts-scalable xfonts-utils xfwm4 xiccd xinit xinput xml-core
  xorg xorg-docs-core xserver-common xserver-xephyr xserver-xorg xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-libinput xserver-xorg-input-wacom xserver-xorg-legacy xserver-xorg-video-all
  xserver-xorg-video-amdgpu xserver-xorg-video-ati xserver-xorg-video-fbdev xserver-xorg-video-intel xserver-xorg-video-nouveau xserver-xorg-video-qxl xserver-xorg-video-radeon xserver-xorg-video-vesa
  xserver-xorg-video-vmware xwayland yaru-theme-gnome-shell yelp-xsl zenity-common
Use 'apt autoremove' to remove them.

At least from an audit perspective, this seems to get rid of all but 3 of the fixable ones:

FROM kasmweb/firefox:1.13.1-rolling

USER root

RUN apt-get update && apt-get autoremove -y

USER 1000

I tried updating the python3-{package} packages (certifi, requests, and urllib3), but it didn't help. I think we would need to use a newer base image of ubuntu to get the latest packages

❯ docker scout cves temp --only-fixed
INFO New version 0.22.3 available (installed version is 0.20.0)
    ✓ SBOM of image already cached, 979 packages indexed
    ✗ Detected 3 vulnerable packages with a total of 5 vulnerabilities

   0C     1H     1M     0L  urllib3 1.25.8
pkg:pypi/[email protected]

    ✗ HIGH CVE-2021-33503 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2021-33503
      Affected range : >=1.25.4                                      
                     : <1.26.5                                       
      Fixed version  : 1.26.5                                        
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    
    ✗ MEDIUM CVE-2020-26137 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
      https://scout.docker.com/v/CVE-2020-26137
      Affected range : <1.25.9                                       
      Fixed version  : 1.25.9                                        
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N  
    

   0C     1H     1M     0L  certifi 2019.11.28
pkg:pypi/[email protected]

    ✗ HIGH CVE-2023-37920 [Insufficient Verification of Data Authenticity]
      https://scout.docker.com/v/CVE-2023-37920
      Affected range : >=2015.4.28                                   
                     : <2023.7.22                                    
      Fixed version  : 2023.7.22                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N  
    
    ✗ MEDIUM CVE-2022-23491 [Insufficient Verification of Data Authenticity]
      https://scout.docker.com/v/CVE-2022-23491
      Affected range : >=2017.11.05                                  
                     : <2022.12.07                                   
      Fixed version  : 2022.12.07                                    
      CVSS Score     : 6.8                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N  
    

   0C     0H     1M     0L  requests 2.22.0
pkg:pypi/[email protected]

    ✗ MEDIUM CVE-2023-32681 [Exposure of Sensitive Information to an Unauthorized Actor]
      https://scout.docker.com/v/CVE-2023-32681
      Affected range : >=2.3.0                                       
                     : <2.31.0                                       
      Fixed version  : 2.31.0                                        
      CVSS Score     : 6.1                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N  
    


5 vulnerabilities found in 3 packages
  LOW       0  
  MEDIUM    3  
  HIGH      2  
  CRITICAL  0  

I haven't tested this out yet though, so I'm not sure how accurate that is that they're no longer required. There are a few things mentioning xserver, which seems like it might be needed for kasm.

[thelamer]

We pin our release tags, so just like you saw you would want to use the rolling or even the develop tags if you are looking for the newest system level packages.

As for deps for single app images we rip out some stuff after the installation is complete here:
https://github.com/kasmtech/workspaces-images/blob/develop/dockerfile-kasm-firefox#L22

How Ubuntu meta packages work that means the system thinks those packages are not needed anymore but definitely are.

In general once a single app image is cut people are not really supposed to be playing around with it, building it from core up will always be your best bet.

[redbmk]

OK yeah the image won't boot up after that.

Doing a much less invasive update of packages, here the container still seems to work. I tried to just update vulnerable python packages to a non-vulnerable version if it's a non-breaking change:

FROM kasmweb/firefox:1.13.1-rolling

USER root

RUN apt-get update && \
  apt-get install -y python3-pip && pip install --upgrade pip && apt-get remove -y python3-pip

RUN pip install --upgrade setuptools wheel certifi

RUN apt-get remove -y \
    python3-pip python3-wheel python3-setuptools python3-certifi \
    python3-oauthlib python3-requests python3-psutil python3-urllib3 python3-protobuf

RUN cp $(python3 -c 'import certifi; print(certifi.where())') /etc/ssl/certs/ca-certificates.crt

RUN pip install --upgrade oauthlib~=3.2 requests~=2.31 psutil~=5.9 urllib3~=1.26 protobuf~=3.20

USER 1000

And then testing with this, I'm still able to boot up the container and see firefox without any issues

❯ docker run -it --rm -e VNCOPTIONS='-disableBasicAuth' -p 6901:6901 temp

This doesn't fix everything, and cryptography especially has a lot of issues, but gets it down to 12 vulnerabilities

❯ docker scout cves temp --only-fixed
INFO New version 0.22.3 available (installed version is 0.20.0)
    ✓ Image stored for indexing
    ✓ Indexed 1600 packages
    ✗ Detected 4 vulnerable packages with a total of 12 vulnerabilities

  1C     2H     2M     2L     1?  cryptography 2.8
pkg:pypi/[email protected]

    ✗ CRITICAL CVE-2020-36242 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2020-36242
      Affected range : <3.3.2                                        
      Fixed version  : 3.3.2                                         
      CVSS Score     : 9.1                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H  
    
    ✗ HIGH CVE-2023-38325
      https://scout.docker.com/v/CVE-2023-38325
      Affected range : <41.0.2  
      Fixed version  : 41.0.2   
    
    ✗ HIGH CVE-2023-0286 [Access of Resource Using Incompatible Type ('Type Confusion')]
      https://scout.docker.com/v/CVE-2023-0286
      Affected range : >=0.8.1                                       
                    : <39.0.1                                       
      Fixed version  : 39.0.1                                        
      CVSS Score     : 7.4                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H  
    
    ✗ MEDIUM CVE-2023-23931 [Improper Check for Unusual or Exceptional Conditions]
      https://scout.docker.com/v/CVE-2023-23931
      Affected range : >=1.8                                         
                    : <39.0.1                                       
      Fixed version  : 39.0.1                                        
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L  
    
    ✗ MEDIUM CVE-2020-25659 [Covert Timing Channel]
      https://scout.docker.com/v/CVE-2020-25659
      Affected range : <3.2                                          
      Fixed version  : 3.2                                           
      CVSS Score     : 5.9                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N  
    
    ✗ LOW GHSA-jm77-qphf-c4w8
      https://scout.docker.com/v/GHSA-jm77-qphf-c4w8
      Affected range : >=0.8    
                    : <41.0.3  
      Fixed version  : 41.0.3   
    
    ✗ LOW GHSA-5cpq-8wj7-hf2v
      https://scout.docker.com/v/GHSA-5cpq-8wj7-hf2v
      Affected range : >=0.5     
                    : <=40.0.2  
      Fixed version  : 41.0.0    
    
    ✗ UNSPECIFIED GMS-2023-1778 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/GMS-2023-1778
      Affected range : >=0.5     
                    : <=40.0.2  
      Fixed version  : 41.0.0    
    

  0C     1H     0M     0L  pyjwt 1.7.1
pkg:pypi/[email protected]

    ✗ HIGH CVE-2022-29217 [Use of a Broken or Risky Cryptographic Algorithm]
      https://scout.docker.com/v/CVE-2022-29217
      Affected range : >=1.5.0                                       
                    : <2.4.0                                        
      Fixed version  : 2.4.0                                         
      CVSS Score     : 7.4                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N  
    

  0C     0H     1M     0L  ghostscript 9.50~dfsg-5ubuntu4.8
pkg:deb/ubuntu/[email protected]~dfsg-5ubuntu4.8?os_distro=focal&os_name=ubuntu&os_version=20.04

    ✗ MEDIUM CVE-2023-38559
      https://scout.docker.com/v/CVE-2023-38559
      Affected range : <9.50~dfsg-5ubuntu4.9                         
      Fixed version  : 9.50~dfsg-5ubuntu4.9                          
      CVSS Score     : 5.5                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  
    

  0C     0H     0M     2L  httplib2 0.14.0
pkg:pypi/[email protected]

    ✗ LOW CVE-2020-11078 [Improper Neutralization of CRLF Sequences ('CRLF Injection')]
      https://scout.docker.com/v/CVE-2020-11078
      Affected range : <0.18.0                                       
      Fixed version  : 0.18.0                                        
      CVSS Score     : 6.8                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N  
    
    ✗ LOW CVE-2021-21240 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2021-21240
      Affected range : <0.19.0  
      Fixed version  : 0.19.0   
    


12 vulnerabilities found in 4 packages
  UNSPECIFIED  1  
  LOW          4  
  MEDIUM       3  
  HIGH         3  
  CRITICAL     1  

[redbmk]

In general once a single app image is cut people are not really supposed to be playing around with it, building it from core up will always be your best bet.

Where are all those packages installed? I would think for anything using python it would make sense to just install python and pip, and then install everything from there using pip or some package manager like pipenv or poetry, etc.

To fix the cryptography issue, whatever's using it would need to deal with the breaking changes, but I haven't figured out where the python code is that's using it. Maybe there's something installed via apt-get that relies on system versions of python3-*?

[thelamer]

They would be deps and would be ingested using apt. You can look over the core image here:
https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core
This would be based on Focal.

[thelamer]

If you are actually trying to pass a security audit using Ubuntu is pointless, you would want to base the image off the Alpine 3.18 Baseimage: https://github.com/kasmtech/workspaces-images/blob/develop/src/alpine/install/firefox/install_firefox.sh
Or Fedora 38 if you need GLIBC