Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in PostgreSQL Image: Request for Guidance #138

Open
SanduDS opened this issue Jan 20, 2025 · 2 comments
Open

Security Vulnerabilities in PostgreSQL Image: Request for Guidance #138

SanduDS opened this issue Jan 20, 2025 · 2 comments

Comments

@SanduDS
Copy link

SanduDS commented Jan 20, 2025

Issue Description

We are using the PostgreSQL image (17) based on Debian OS (Bookworm) with CloudNativePG in our Kubernetes cluster. While scanning the image for vulnerabilities, we identified several critical issues. We need guidance from the CNPG community to address these vulnerabilities in the image version used by CNPG.

Critical Vulnerabilities Identified

  1. CVE-2023-45853:

    • Package: zlib1g
    • Description: Integer overflow in zipOpenNewFileInZip4_6 leads to a heap-based buffer overflow.
    • Severity: Critical
    • Status: will_not_fix

  2. CVE-2023-24538:

    • Package: Go runtime (html/template)
    • Description: Backticks are not treated as string delimiters, which may allow code injection.
    • Severity: Critical
    • Status: Fixed in Go v1.18.2, v1.19.8, v1.20.3

  3. CVE-2023-24540:

    • Package: Go runtime (html/template)
    • Description: Improper handling of JavaScript whitespace could allow XSS attacks.
    • Severity: Critical
    • Status: Fixed in Go v1.19.9, v1.20.4

  4. CVE-2024-24790:

    • Package: Go runtime (net/netip)
    • Description: Unexpected behavior in Is methods for IPv4-mapped IPv6 addresses could bypass IP-based restrictions.
    • Severity: High
    • Status: Fixed in Go v1.21.11, v1.22.4

Impact on Cluster Security

While PostgreSQL itself is not directly impacted, associated vulnerabilities in the image pose a risk:

  • Possible code injection or XSS attacks from Go-based utilities using vulnerable html/template.
  • Improper IP-based access control due to net/netip issues.
  • Heap-based buffer overflow risk from zlib, potentially allowing malicious data processing.

Request for Guidance

  1. Are there updated PostgreSQL images compatible with CNPG that address these vulnerabilities?
  2. If not, what is the recommended approach to mitigate these issues in the current image version?
  3. Should we consider custom-building an image with patched dependencies? If so, are there any best practices for ensuring compatibility with CNPG?

Environment Details

  • CNPG Version: 1.25.0
  • PostgreSQL Image Version: 17.2-28-bookworm

We look forward to the community's insights and recommendations. Thank you!
@sathieu sathieu mentioned this issue Jan 22, 2025
Open
@sathieu
Copy link

sathieu commented Jan 22, 2025

Possible way forward: use alpine (#78), but it currently has the same number of vulnerabilities:

Image

Image

ref

@gbartolini
Copy link
Contributor

@SanduDS, we are transitioning away from the official Postgres image and are now in the process of approving a new build process that includes Software Bill of Materials (SBOMs) and signatures. Currently, the images are published in the "postgresql-testing" repository. Could you please evaluate them?

For example, you can check ghcr.io/cloudnative-pg/postgresql-testing:17.2-202501221134-minimal-bookworm.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gbartolini @sathieu @SanduDS