Docker Community Forums

Share and learn in the Docker community.

Docker CVE false positives



I have recently noticed that there are false positives in the Amazon Linux 2018.3 official image. When checking the package changelog for bash I see that fixes for the CVE’s have been applied via backporting but are still listed as vulnerabilities. It seems that the scanner only checks the package version which wouldn’t show that fixes have been applied. I assume that this will be an issue for all images and packages or at least the RHEL based ones?

This means that there are more vulnerabilities listed than actually exist in the image. I know Backporting doesn’t help the matter as fixes are applied but the package version doesn’t change. Also some CVE’s aren’t addressed due to the fixes being deemed as not required but there is nothing in the change log for the package.

The version of Bash that is installed is bash-4.2.46-28.37.amzn1.x86_64

Here is the changelog for the package.

rpm -q --changelog bash | grep CVE

  • CVE-2016-9401 - Fix crash when ‘-’ is passed as second sign to popd

  • CVE-2016-7543: Fix for arbitrary code execution via SHELLOPTS+PS4 variables

  • CVE-2016-0634: Fix for arbitrary code execution via malicious hostname

  • Added two remaining patches to fix CVE 2014-7169 (variables-affix & parser-oob)

  • CVE-2014-7169

  • Added patch eol-pushback.patch, fixes CVE-2014-7169

  • apply patch for CVE-2014-6271

This shows what CVE’s have been fixed but they are still being shown as vulnerabilities in the scanner.

This is the link that shows the vulnerabilities in my example.

I have also tried to report the false positives to Docker as using the described method in this article but I get an error when trying and I can’t find another way to contact their support team.

Will Docker be doing anything to address this issue with the Scanner?



1 Like