2.8.13¶
Important
MSR 2.8.13 is the final patch release for MSR 2.8.x as that version of the software reached end of life (EOL) status on 2022-05-27. In correlation, Mirantis has halted maintenance of the MSR 2.8.x documentation set.
(2022-06-22)
Bug fixes¶
(FIELD-4718) Fixed a pagination issue in the MSR API GET /api/v0/imagescan/scansummary/cve/{cve} endpoint. The fix requires that you upgrade MSR to 2.8.13 and that you take certain manual steps using the database CLI (contact Mirantis Support for the steps). Note that the manual CLI steps are not required for fresh MSR installations.
(ENGDTR-3184) Fixed an issue wherein Ubuntu 22.04 based images could not be successfully scanned for vulnerabilities.
Security¶
Resolved CVEs, as detailed:
CVE |
Status |
Description |
---|---|---|
Resolved |
Prior to 1.2.12, zlib allows memory corruption when deflating when the input has many distant matches. |
|
Resolved |
BusyBox up through version 1.35.0 allows remote attackers to execute arbitrary code when netstat is used to print the value of a DNS PTR record to a VT-compatible terminal. Alternatively, attackers can choose to change the colors of the terminal. |
|
Resolved |
Prior to 1.9.10, GORM permits SQL injection through incomplete parentheses. Note that misusing GORM by passing untrusted user input when GORM expects trusted SQL fragments is not a vulnerability in GORM but in the application. |
|
Resolved/False Positive |
Prior to 4.0.0-preview1, jwt-go allows attackers to bypass intended
access restrictions in situations with |
|
Resolved |
A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 in which containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. |
|
Not Vulnerable |
The CVE is present in the JobRunner image, however while it is a required dependency of a component running in JobRunner, its functionality is never excercised. In OpenLDAP 2.x prior to 2.5.12 and in 2.6.x prior to 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping. |
|
False Positive |
Though Alpine Linux contains the affected OpenSSL version, the
The |
|
False Positive |
All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR. NumPy 1.16.0 and earlier use the pickle Python module in an unsafe
manner that allows remote attackers to execute arbitrary code via a
crafted serialized object, as demonstrated by a |
All CVEs reported in OpenJDK 1.8.0u302 have been resolved by removal of the component.
All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR.
Upgraded Synopsys scanner to version 2022.3.1.