Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan

[alexander-dammeier]

Hello!

We test coder for a high security environment but we are not allowed to use your images as they contain critical CVEs (see trivy scans below). Unfortunately this CVEs are also in your latest images of the stable (2.10.2) and mainline (2.11.0) release trains.

(scans are filtered by High and critical CVEs)

ghcr.io/coder/coder:v2.10.2 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

ghcr.io/coder/coder:v2.11.0 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[MrPeacockNLB]

This is a good time to ask for images from scratch for enterprise users. CVE-2024-3817 is introduced via installing terraform with apk (/usr/local/bin/terraform) and the other one is CVE-2024-32002 also with apk installing git client. Is there a reason why the images are alpine based?

For security reason it would be nice if we can get rid of wget and curl in the images too. It enables attackers to download other stuff.

Maybe there should be to different images. One for Coder Server and one for ProvisionerD (inclunding needed terraform) binary.

[alexander-dammeier]

In the meantime I tried to update terraform and git myself.
Git was no problem via apk.

Terraform seems to be no longer available in apk (but opentofu is), so I just replaced the binary with a newer version from github. Unfortunately there is no newer terraform version which is officially supported by coder.
Even worse is that terraform 1.7.5 also has this critical CVE. Terraform 1.8.3 is fine but to jump up two minor versions seems a little bit risky to me.

I hope there will be a fixed version of terraform 1.6 and 1.7 soon.

[coadler]

@MrPeacockNLB

This is a good time to ask for images from scratch for enterprise users. CVE-2024-3817 is introduced via installing terraform with apk (/usr/local/bin/terraform)

Terraform was removed from Alpine, so we manage that ourselves now. There was ambiguity for a while as to whether or not we were allowed to upgrade to versions released under BSL, but we're now working our way towards the latest Terraform release. I think we'll be caught up to 1.8.x by Coder 2.12.

the other one is CVE-2024-32002 also with apk installing git client. Is there a reason why the images are alpine based?

Alpine doesn't really have much to do with this. The Git CVEs were only announced two days ago and patches are available in Alpine as of yesterday. Our last release was last week, hence why it wasn't included.

I'll have a patch out later today addressing the Git RCEs. Thanks @alexander-dammeier for bringing this to our attention.

[MrPeacockNLB]

@coadler using a distro (even if it is only the small alpine) raises the attacksurface. Just from security point of view it would be the best practicse to use from scratch for the image.

Thanks for fixing issues!

[coadler]

https://github.com/coder/coder/releases/tag/v2.11.1