2.9.8

(2022-06-22)

What’s New

  • Upgraded Synopsys scanner to version 2022.3.1.

Bug fixes

  • (FIELD-4718) Fixed a pagination issue in the MSR API GET /api/v0/imagescan/scansummary/cve/{cve} endpoint. The fix requires that you upgrade MSR to 2.9.8 and that you take certain manual steps using the database CLI (contact Mirantis Support for the steps). Note that the manual CLI steps are not required for fresh MSR installations.

  • (ENGDTR-3184) Fixed an issue wherein Ubuntu 22.04-based images could not be successfully scanned for vulnerabilities.

Security

  • All CVEs reported in OpenJDK 1.8.0u302 have been resolved by removal of the component.

  • All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR.

  • Resolved CVEs, as detailed:

    CVE

    Status

    Description

    CVE-2018-25032

    Resolved

    Prior to 1.2.12, zlib allows memory corruption when deflating when the input has many distant matches.

    CVE-2022-28391

    Resolved

    BusyBox up through version 1.35.0 allows remote attackers to execute arbitrary code when netstat is used to print the value of a DNS PTR record to a VT-compatible terminal. Alternatively, attackers can choose to change the colors of the terminal.

    CVE-2019-15562

    Resolved

    Prior to 1.9.10, GORM permits SQL injection through incomplete parentheses. Note that misusing GORM by passing untrusted user input when GORM expects trusted SQL fragments is not a vulnerability in GORM but in the application.

    CVE-2022-23648

    Resolved

    A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 in which containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.

    CVE-2022-29155

    Not Vulnerable

    The CVE is present in the JobRunner image, however while it is a required dependency of a component running in JobRunner, its functionality is never excercised.

    In OpenLDAP 2.x prior to 2.5.12 and in 2.6.x prior to 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

    CVE-2022-1292

    False Positive

    Though Alpine Linux contains the affected OpenSSL version, the c_rehash script has been replaced by a C binary.

    The c_rehash script does not properly sanitize shell metacharacters to prevent command injection. Some operating systems distribute this script in a manner in which it is automatically executed, in which case attackers can execute arbitrary commands with the privileges of the script. Use of this script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. The vulernability is fixed in OpenSSL 3.0.3, OpenSSL 1.1.1o, and in OpenSSL 1.0.2ze.

    CVE-2019-6446

    False Positive

    NumPy 1.16.0 and earlier use the pickle Python module in an unsafe manner that allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. Note that third parties dispute the issue as, for example, it is a behavior that can have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources.