Internal Vulnerability-Qualys

Hi All,

We have 1 ec2 instance running Ubuntu20.04 LTS. We are running dokcer containers in it. Qualys detected following vulnerability: “Node.Js Foundation Node.js Multiple Vulnerabilities (Node v20.11.1,Node v21.6.2, Node v18.19.1)”.

Related CVES are: CVE-2024-21891,CVE-2024-22019,CVE-2024-21890,CVE-2024-21892,CVE-2023-46809,CVE-2024-21896,CVE-2024-22025,CVE-2024-22017

Location detected by Qualys is as below:

/bin/node
/var/snap/docker/common/var-lib-docker/overlay2/l/AUEWL7ZTSH2IAY5JMTMLSX7LEA/usr/local/bin/node js/v18.0.0

How can we resolve this issue detected inside snap??

Thanks,
Kapil.

The category “Tips & HowTos” is meant to be used if you share tips & HowTos you authored youself. It is not for asking questions. I moved your post to the “General Discussions” category.

Furthermore, you are using a snap docker package, which is maintained and supported by Canonical.

Patch management with containers is done by replacing containers with containers based on images that already include a fix for the vulnerability.

Please find snap list & refresh output. It’s already updated. How can we fix the issue detected by qualys in snap location /var/snap/docker/common/var-lib-docker/overlay2/l/AUEWL7ZTSH2IAY5JMTMLSX7LEA/usr/local/bin/node js/v18.0.0?

ubuntu@ip-10-42-8-32:~$ snap list
Name              Version         Rev    Tracking         Publisher   Notes
amazon-ssm-agent  3.3.131.0       7993   latest/stable/…  aws✓        classic
core18            20240612        2829   latest/stable    canonical✓  base
core20            20240416        2318   latest/stable    canonical✓  base
core22            20240408        1380   latest/stable    canonical✓  base
docker            24.0.5          2915   latest/stable    canonical✓  -
lxd               4.0.10-e664786  29619  4.0/stable/…     canonical✓  -
snapd             2.63            21759  latest/stable    canonical✓  snapd
ubuntu@ip-10-42-8-32:~$ snap refresh --list
All snaps up to date.

Just out of curiosity: what part of my last post made you think that I want to see anything about snap? Snap itself, and the snap docker package is maintained by Canonical and supported by whatever support channel Canonical has for snap and the snap docker package.

Regardless of what docker distribution you use: the problem and solution is not related to the docker distribution.

Just to be clear: when I wrote “containers” I refer to OCI containers, such as those that you run on Docker. Please ask the people that created the containers, to replace those containers with new containers that base on a new (OCI) image tag that already includes the fix.

Hi Meyay,

Thanks for your reply.
Anyway we can identify container from layer id (AUEWL7ZTSH2IAY5JMTMLSX7LEA) ??

I assume we are not getting on the same page. I can’t help you if your responses ignore what I write. If you don’T understand parts, then quote those parts and underneath write in your own words what you understood.

May I suggest following links learn the basics and concepts:

Hi Meyay,

Understood your suggestion to replace the custom container which is using NodeJS versions with vulnerability.

We simply don’t patch running containers, as containers are supposed to be ephemeral runtime instances of images.

You need to find versions of the imaged that already include the fixes and re-deploy the containers using those images. If those are custom images made in your company, ask the people who created the images to publish new images based on base images that already include the fix.

If you have no control of the image: get in touch with the people that do, and make them create an image where all fixable vulnerabilities are fixed. You will want to ask them to migrate from Node 18 to at least node 20, or better 22. Node 18 will stop receiving security updates in roughly 9 months (See: Node.js | endoflife.date)