Security vulnerabilities in linux base for container.

[degsoteria]

Can someone update the linux base layer for the container in docker hub? Both 6.x and 7.x are really bad. We would like to try this but our client requires better security. Thank you for any feedback on the possiblity.

[LaurentGoderre]

These are false positives. See https://github.com/tianon/gosu/blob/master/SECURITY.md

Also duplicate of #718

[degsoteria]

Just for argument sake. If it not used, remove from container base ? David Gould CISO CISSP/CEH/MCITP-EA Soteria Software ***@***.*** 855-RMF-0848 <8550848> 10816 Town Center Blvd #609 Dunkirk, MD 20754 soteriasoft.com <https://www.soteriasoft.com/> <https://www.soteriasoft.com/> *Do the work. Automate the paperwork! SM – OpenRMF® Professional* <https://www.linkedin.com/company/soteria-software/> <https://twitter.com/soteriasoft> The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.

…

On Tue, Jan 21, 2025 at 3:33 PM Laurent Goderre ***@***.***> wrote: These are false positives. See https://github.com/tianon/gosu/blob/master/SECURITY.md Also duplicate of #718 <#718> — Reply to this email directly, view it on GitHub <#719 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWDRND2GM2MRWTMBERI36C32L2VH7AVCNFSM6AAAAABVTLWLTKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBVGY4DAOBWGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[yosifkit]

Just for argument sake. If it not used, remove from container base ?

mongo/docker-entrypoint.sh

Lines 12 to 22 in ce733cc

	if [[ "$originalArgOne" == mongo* ]] && [ "$(id -u)" = '0' ]; then
	if [ "$originalArgOne" = 'mongod' ]; then
	find /data/configdb /data/db \! -user mongodb -exec chown mongodb '{}' +
	fi
	# make sure we can write to stdout and stderr as "mongodb"
	# (for our "initdb" code later; see "--logpath" below)
	chown --dereference mongodb "/proc/$$/fd/1" "/proc/$$/fd/2" || :
	# ignore errors thanks to https://github.com/docker-library/mongo/issues/149
	exec gosu mongodb "$BASH_SOURCE" "$@"

The gosu binary is used to simply step down from root to the mongodb user. It allows the entrypoint script to start as root to correct filesystem permissions for easier setup while still running the mongod server as an unprivileged user. If you provide mount points or Docker volumes with the correct permissions, then setting --user will bypass gosu and it will be unused.

--

If there are any other updates from OS packages, they will be address at the next Dockerfile change (like version bump) or base image update.

For example, the CVE's existing in the base ubuntu:24.04 image would need to be addressed by a new, updated Ubuntu 24.04 image. Just rebuilding from the mongo Dockerfiles would be unlikely to affect any of them. It has been a month since the last Ubuntu image update, so I expect one very soon.

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bullseye would be rebuilt when debian:bullseye is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[tianon]

(Also, in this case, it's not just gosu, but also a bunch of MongoDB-provided tools written in Go.)

[degsoteria]

Understood. I just am aware that other base images such as Alpine are much cleaner. Most of the findings aren’t with the baseline but with the gosu binary add on so I did not know if there was a plan moving forward for these issues. David Gould CISO CISSP/CEH/MCITP-EA Soteria Software ***@***.*** 855-RMF-0848 <8550848> 10816 Town Center Blvd #609 Dunkirk, MD 20754 soteriasoft.com <https://www.soteriasoft.com/> <https://www.soteriasoft.com/> *Do the work. Automate the paperwork! SM – OpenRMF® Professional* <https://www.linkedin.com/company/soteria-software/> <https://twitter.com/soteriasoft> The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.

…

On Tue, Jan 21, 2025 at 3:59 PM yosifkit ***@***.***> wrote: Just for argument sake. If it not used, remove from container base ? https://github.com/docker-library/mongo/blob/ce733ccb9c6acf014af5cf96eeaa917d0378df5d/docker-entrypoint.sh#L12-L22 The gosu binary is used to simply step down from root to the mongodb user. It allows the entrypoint script to start as root to correct filesystem permissions for easier setup while still running the mongod server as an unprivileged user. If you provide mount points or Docker volumes with the correct permissions, then setting --user will bypass gosu and it will be unused. -- If there are any other updates from OS packages, they will be address at the next Dockerfile change (like version bump) or base image update. For example, the CVE's existing in the base ubuntu:24.04 image <https://hub.docker.com/layers/library/ubuntu/24.04/images/sha256-6e75a10070b0fcb0bead763c5118a369bc7cc30dfc1b0749c491bbb21f15c3c7> would need to be addressed by a new, updated Ubuntu 24.04 image. Just rebuilding from the mongo Dockerfiles would be unlikely to affect any of them. It has been a month since the last Ubuntu image update <docker-library/official-images#18135>, so I expect one very soon. Background: Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bullseye would be rebuilt when debian:bullseye is built). - https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files Official Images FAQ: Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame - https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves To ensure that we don't push contentless image changes, we rely on periodic base image updates. We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. - from the same FAQ link — Reply to this email directly, view it on GitHub <#719 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWDRND4WCOZ6BGEXOO2F5332L2YJJAVCNFSM6AAAAABVTLWLTKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBVG4ZDMMBTGY> . You are receiving this because you authored the thread.Message ID: ***@***.***>