Latest vulnerability fixes

[MukuFlash03]

Summary

4 HIGH severity vulnerabilities: cryptography, libgnutls30 (2), bash

1. libgnutls30: Updated ubuntu version to latest version.
2. cryptography: package updated to suggested version.
3. bash: Updated bash package to latest version manually. Latest Ubuntu version still contains vulnerable package so had to manually upgrade.

---

DETAILED

---

1. bash
Installed: 0:5.1-6ubuntu1.AMD64
Fixed: 0:5.1-6ubuntu1.1

# Gives Ubuntu version
$ ldd --version 

Check package version using:
$ dpkg -l | grep bash

Findings:

• Latest Ubuntu Docker image (jammy 22.04 LTS) was released a month ago and has 19 vulnerabilities including the bash vulnerability.
• Vulnerabilities on Docker website are tagged as Medium but some of these like bash are tagged as High in AWS.
  So, cannot risk downloading this image.
• Next latest image is for Noble 24.04 LTS, but not sure if doing a major Ubuntu version upgrade is a good idea or that it might break some code, packages.
• Even the package versions for the vulnerable packages like bash, libgnutls30 are different compared to the jammy version.

Approach planned:

• So, thinking of manually upgrading the libraries if possible using apt-get update && apt-get upgrade.
• But blanket upgrades not recommended (see this)

Actions taken:

• Using versioned upgrade to install latest bash package version)
  Resources: 1, 2

$ apt-get install bash=5.1-6ubuntu1.1

Failed initially with error:

Package bash is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source
E: Version '5.1-6ubuntu1.1' for 'bash' was not found

Solved this by running apt-get update (read here)

Then ran the install command again.
Working now. "bash" package successfully updated.

—————

2. libgnutls30
2 vulnerabilities present for this library.

Installed: 0:3.7.3-4ubuntu1.3.AMD64
Fixed: 0:3.7.3-4ubuntu1.4

# Gives Ubuntu version
$ ldd --version 

Check version using:
$ dpkg -l | grep libgnutls30

Upgrading to ubuntu:jammy-20240227 for now, which has the fixed libgnutls30 version.
But this has bash vulnerability which was handled manually (see 1 above)

————————

3. cryptography

Upgraded version from 41.0.7 to 42.0.0
$ conda install -c conda-forge cryptography=42.0.0 wheel=0.40.0

Removed older version files
$ rm -rf /root/miniconda-23.5.2/lib/python3.9/site-packages/cryptography-41.0.7.dist-info

Tested by “cd” ing into folder, verified that 41.0.7 no longer present, 42.0.0 is the latest version in these locations:

• /root/miniconda-23.5.2/pkgs
• /root/miniconda-23.5.2/lib/python3.9/site-packages

[shankari]

@MukuFlash03

Vulnerabilities on Docker website are tagged as Medium but some of these like bash are tagged as High in AWS.
So, cannot risk downloading this image.

Can you upload link for the docker website or screenshot for AWS? I would like to verify this before merging.

Next latest image is for Noble 24.04 LTS, but not sure if doing a major Ubuntu version upgrade is a good idea or that it might break some code, packages.

We have a fairly robust process for server updates (unit tests/staging, etc), so we should not rule it out in general. But noble looks like it is still devel, so it is not quite ready for production yet

[MukuFlash03]

Vulnerabilities on Docker website are tagged as Medium but some of these like bash are tagged as High in AWS.
So, cannot risk downloading this image.

Can you upload link for the docker website or screenshot for AWS? I would like to verify this before merging.

CVE ID (CVE-2022-3715) refers to same bash package vulnerability in both Docker and AWS, and both of the links identify it as MEDIUM, while AWS identifies it as HIGH.

CVE link from Docker image
CVE link from AWS Inspector

---

Docker image ubuntu:jammy-20240227 available here.
Can see "bash" package tagged as Medium in the vulnerabilities list (see screenshot below)

---

While in AWS ECR the same bash package is tagged as HIGH severity (see screenshot below)

[shankari]

@MukuFlash03 that's interesting. I am going to merge this for now because more fixed is better than less fixed, but we may want to follow up with the cloud services team to understand this discrepancy and how it should be resolved in the future.

[shankari]

This is likely to bump up the image size significantly because of the downloaded packages for update. Can you see if that is true by comparing image sizes after this is built? If so, in a cleanup PR, please delete the downloaded packages (e.g. apt clean or similar).

[MukuFlash03]

I believe what you are referring to happens when we actually "upgrade" the packages using apt-get upgrade while "update"-ing the packages using apt-get update just downloads the latest list of available packages but not the actual package versions themselves.

More information here and here:

The apt-get update downloads the index files whereas the apt-get upgrade downloads the latest versions packages of the installed packages.

Also, I checked the image sizes with and without the update command and there wasn't a significant difference in the sizes.

So, we should be good with this change.

[shankari]

@Abby-Wheelis for visibility around DevOps changes