2.9.8¶
(2022-06-22)
Enhancements¶
Upgraded Synopsys scanner to version 2022.3.1.
Addressed issues¶
(FIELD-4718) Fixed a pagination issue in the MSR API GET
/api/v0/imagescan/scansummary/cve/{cve}
endpoint. The fix requires that you upgrade MSR to 2.9.8 and that you take certain manual steps using the database CLI (contact Mirantis Support for the steps). Note that the manual CLI steps are not required for fresh MSR installations.(ENGDTR-3184) Fixed an issue wherein Ubuntu 22.04-based images could not be successfully scanned for vulnerabilities.
Security information¶
All CVEs reported in OpenJDK 1.8.0u302 have been resolved by removal of the component.
All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR.
Resolved CVEs, as detailed:
CVE
Status
Description
Resolved
Prior to 1.2.12, zlib allows memory corruption when deflating when the input has many distant matches.
Resolved
BusyBox up through version 1.35.0 allows remote attackers to execute arbitrary code when netstat is used to print the value of a DNS PTR record to a VT-compatible terminal. Alternatively, attackers can choose to change the colors of the terminal.
Resolved
Prior to 1.9.10, GORM permits SQL injection through incomplete parentheses. Note that misusing GORM by passing untrusted user input when GORM expects trusted SQL fragments is not a vulnerability in GORM but in the application.
Resolved
A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 in which containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.
Not Vulnerable
The CVE is present in the JobRunner image, however while it is a required dependency of a component running in JobRunner, its functionality is never excercised.
In OpenLDAP 2.x prior to 2.5.12 and in 2.6.x prior to 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
False Positive
Though Alpine Linux contains the affected OpenSSL version, the
c_rehash
script has been replaced by a C binary.The
c_rehash
script does not properly sanitize shell metacharacters to prevent command injection. Some operating systems distribute this script in a manner in which it is automatically executed, in which case attackers can execute arbitrary commands with the privileges of the script. Use of this script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. The vulernability is fixed in OpenSSL 3.0.3, OpenSSL 1.1.1o, and in OpenSSL 1.0.2ze.False Positive
NumPy 1.16.0 and earlier use the pickle Python module in an unsafe manner that allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a
numpy.load
call. Note that third parties dispute the issue as, for example, it is a behavior that can have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources.