Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/schema-registry] Critical & High Security Finding in Schema-Registry - MiniZip | Zlib #73221

Open
aymenwerg opened this issue Oct 10, 2024 · 2 comments
Open

[bitnami/schema-registry] Critical & High Security Finding in Schema-Registry - MiniZip | Zlib #73221

aymenwerg opened this issue Oct 10, 2024 · 2 comments
Assignees
@javsalgar
Labels
schema-registry stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@aymenwerg
Copy link

aymenwerg commented Oct 10, 2024
edited by carrodher
Loading

Name and Version

bitnami/schema-registry:7.7.1

What architecture are you using?

amd64

What steps will reproduce the bug?

Hi,
We are using the Bitnami Schema Registry in the AWS Cloud. The AWS ECR Image Scan has detected critical vulnerabilities, specifically CVE-2023-45853 (https://security-tracker.debian.org/tracker/CVE-2023-45853).

This issue affects all versions from 7.3 to 7.7.1, and unfortunately, this security finding has not been resolved for 1.5 years. Are there plans to patch this in the next versions?

What is the expected behavior?

No High or Critical findings

What do you see instead?

Critical findings
Vulnerable package: zlib::1:1.2.13.dfsg-1
Description: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
@aymenwerg aymenwerg added the tech-issues The user has a technical issue about an application label Oct 10, 2024
@github-actions github-actions bot added the triage Triage is needed label Oct 10, 2024
@carrodher
Copy link
Member

I understand your concern about security vulnerabilities. We regularly update our images with the latest system packages; however, certain CVEs may persist until they are patched in the OS or application. Additionally, some CVEs remain unfixed due to the absence of available patches. In vulnerability scanners like Trivy, you can use the --ignore-unfixed flag to ignore such CVEs. You can learn more about our CVE policy here.

The Bitnami Application Catalog (OpenSource) is built on Debian 12. Additionally, as part of VMware, Bitnami offers a custom container and Helm Charts catalog based on various base images, such as Debian 11 & 12, PhotonOS 5, Ubuntu 22.04 & 24.04, RedHat UBI 8 & 9, and custom golden images. You can explore these options through the VMware Tanzu Application Catalog.

If you have any further questions, feel free to ask.

@github-actions GitHub Actions
Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Oct 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
schema-registry stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javsalgar @carrodher @aymenwerg