CVE vulnerabilities of latest docker

[556u5ut]

Scanned rabbitmq:latest and there are many vulnerabilities found.

Describe the results you received:
CVE-2009-5155
CVE-2009-5155
CVE-2019-6488
CVE-2019-6488
CVE-2019-9169
CVE-2019-9169
CVE-2018-20796
CVE-2018-20796
CVE-2019-9192
CVE-2019-9192
CVE-2019-3829
CVE-2018-6829
CVE-2018-6829
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1122
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1126
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1124
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1125
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-1123
CVE-2018-16865
CVE-2018-16865
CVE-2018-16864
CVE-2018-16864
CVE-2018-15688
CVE-2018-15688
CVE-2019-3842
CVE-2019-3842
CVE-2019-3844
CVE-2019-3844
CVE-2019-3843
CVE-2019-3843
CVE-2019-9923

Describe the results you expected:
I don't know which version will solve these problems in the future? I wonder if there is such a plan in the future?

Version:
rabbitmq:latest (3.8.3)

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

$ docker run -it --rm rabbitmq bash

root@929695a5455d:/# apt update && apt upgrade
Get:1 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [8505 B]
Get:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]                    
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [908 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB]  
Get:8 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [52.4 kB] 
Get:9 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [843 kB]                
Get:10 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB]                            
Get:11 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1376 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [1205 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [19.8 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [66.8 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [8286 B]
Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [7671 B]
Fetched 17.9 MB in 3s (5815 kB/s)                     
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  gcc-7-base xz-utils
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

There's nothing to be updated in the image

[556u5ut]

I use "docker pull rabbitmq" to get docker images from docker hub.Find the version of rabbitmq images is 3.8.3

There are still many vulnerabilities.
CVE-2019-6488
CVE-2016-10739
CVE-2019-7309
CVE-2019-9169
CVE-2019-3829
CVE-2018-6829
CVE-2018-0495
CVE-2017-15232
CVE-2019-6129
CVE-2019-9893
CVE-2018-1000654
CVE-2017-18258
CVE-2016-9318
CVE-2017-16932
CVE-2018-14404
CVE-2019-11068
CVE-2018-19217
CVE-2018-19211
CVE-2018-1121
CVE-2018-7169
CVE-2019-3844
CVE-2019-3843
CVE-2018-16865
CVE-2018-16864
CVE-2018-15688
CVE-2019-3842
CVE-2018-16866
CVE-2019-9923
CVE-2018-20482
CVE-2017-2616
My scanner find these file not safe

libdb-5.3.so
rabbitmq.tar:5d0178083326d147512e56c69c596859345e18e2cf26742dd1e4478527b4f1a5/layer.tar:usr/lib/x86_64-linux-gnu/libdb-5.3.so

libc-2.28.so
rabbitmq.tar:5d0178083326d147512e56c69c596859345e18e2cf26742dd1e4478527b4f1a5/layer.tar:usr/lib/x86_64-linux-gnu/libdb-5.3.so

[yosifkit]

Since there are no updates available and 18.04 is security updated by Ubuntu, you need to check their security tracker to see why there is no update available. Here are a few:

• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6488.html
  • "Priority Negligible" "only affects x32"
• https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10739.html
  • "glibc uses this internally to parse config files, fixing this may introduce unwanted regressions and changes in behaviour"
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7309.html
  • "Priority Negligible" "only affects x32"
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html
  • "Priority Low"
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3829.html
  • This is a CVE for gnutls, but your screenshot shows "berkeleydb" 😕
• https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6829.html
  • This is a CVE for libgcrypt, but your screenshot shows "berkeleydb" 😕
• https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15232.html
  • This is a CVE for libjpeg-turbo, but your screenshot shows "berkeleydb" 😕
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6129.html
  • "upstream has disputed this CVE, marking as ignored"
  • This is a CVE for libpng, but your screenshot shows "berkeleydb" 😕

Since there are no package updates available, there is nothing we can do.

You may want to push back on your scanner company since they seem to be incorrectly matching unrelated CVE's on "berkeleydb" libdb-5.3.so 🤷

[michaelklishin]

I think this should be closed to not confuse and unnecessarily scare those looking at the list of open issues.

[tianon]

Agreed, thanks for the reminder 👍