76 critical 125 major and 6 minor vulnerabilities


#1

Rocket.Chat 0.72.0 has 76 critical 125 major and 6 minor vulnerabilities when scanned by Docker DTR.

By running the code below in my Docker file it reduces to 37 Critical 56 Major 5 Minor 1 Hidden
&& npm i npa@latest -g
&& npm update -g

There are the 37 Critical one I have left but I cannot figure out how to fix these. I have tried updating them but nothing works. Does anyone have ideas or have figure a way to fix these vulnerabilities?
pcre
8.31
17 Critical4 Major

libpng
1.6.12
5 Critical1 Major

libpng
1.5.10
4 Critical5 Major

sqlite3
3.7.7.1
4 Critical1 Major

zlib
1.2.5
2 Critical2 Major

kerberos
1.12.1+dfsg-19+deb8u4
1 Critical3 Major

libicu
52.1-8+deb8u7
1 Critical1 Major

glibc
2.19-18+deb8u10
1 Critical

cryptsetup
1.6.6-5
1 Critical

kerberos
1 Critical

I am using this Dockerfile as my base.


#2

Seems most of these are in the Debian base. I wrestled with this actually for several days before I swapped Debian out for alpine.

May be of interest?


#4

Wow this thing is huge! 1.13GB rocketchat/rocket.chat:0.71.1-1


#5

My local stats for sure did not read 1.3 Gig.

Sadly this is the downside to nodejs and npm. By time you do npm install things definitely grow.

But our scans through Claire returned no issues. I’m guessing the big part is since using musl instead of the usual libc variants


#6

There it is haha
rocketchat/rocket.chat 0.71.1-1 481dc2c89675 5 weeks ago 1.13GB

I am going to run it through my corps Aqua scanning. Ill let you know if we find any vulnerabilities.


#7

Sounds good! Please let me know how it goes :+1:


#8

Well we scan with Aqua: I will post what they are when I look at them today.

  • 56 High
  • 93 Medium
  • 44 Low
  • 0 Negligible

#9

These are only the high ones
Scan Report: rocket.chat:0.72.1-1
Name Resource Severity Score Fix Version
WS-2018-0111 /app/bundle/programs/server/npm/node_modules/base64-url/index.js high 8.6 2.0.0
WS-2018-0084 sshpk high 7 None
WS-2016-0035 tough-cookie high 7 2.3.0
WS-2015-0024 uglify-js high 7 2.4.24.
WS-2015-0024 uglify-js high 7 2.4.24.
WS-2018-0084 sshpk high 7 None
WS-2016-0035 tough-cookie high 7 2.3.0
WS-2015-0024 uglify-js high 7 2.4.24.
WS-2018-0084 /app/bundle/programs/server/npm/node_modules/meteor/http/node_modules/sshpk/lib/formats/ssh.js high 8 None
WS-2017-0314 fresh high 7 None
CVE-2017-16119 fresh high 7 None
WS-2016-0037 negotiator high 7 0.6.1
WS-2016-0017 negotiator high 7 0.6.1
WS-2017-0330 mime high 7 None
CVE-2017-16138 mime high 7 None
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_accounts/node_modules/moment/min/moment.min.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_accounts/node_modules/moment/min/moment-with-locales.min.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_accounts/node_modules/moment/moment.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_accounts/node_modules/moment/min/moment-with-locales.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_accounts/node_modules/moment/src/lib/parse/regex.js high 7.5 2.19.3
CVE-2017-16118 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_grant/node_modules/forwarded/index.js high 7.5 None
WS-2017-0313 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_grant/node_modules/forwarded/index.js high 7.5 None
WS-2018-0084 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_grant/node_modules/sshpk/lib/formats/ssh.js high 8 None
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_graphql/node_modules/moment/min/moment-with-locales.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_graphql/node_modules/moment/min/moment-with-locales.min.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_graphql/node_modules/moment/min/moment.min.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_graphql/node_modules/moment/moment.js high 7.5 2.19.3
WS-2017-0422 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_graphql/node_modules/moment/src/lib/parse/regex.js high 7.5 2.19.3
WS-2018-0111 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_internal-hubot/node_modules/base64-url/index.js high 8.6 2.0.0
WS-2016-0017 /app/bundle/programs/server/npm/node_modules/meteor/rocketchat_internal-hubot/node_modules/negotiator/lib/language.js high 7.5 0.6.1
WS-2017-0255 pidusage high 7 None
WS-2018-0084 sshpk high 7 None
WS-2016-0037 negotiator high 7 0.6.1
WS-2016-0017 negotiator high 7 0.6.1
WS-2017-0314 fresh high 7 None
CVE-2017-16119 fresh high 7 None
WS-2017-0313 forwarded high 7 None
CVE-2017-16118 forwarded high 7 None
WS-2017-0330 mime high 7 None
CVE-2017-16138 mime high 7 None
WS-2016-0037 negotiator high 7 0.6.1
WS-2016-0017 negotiator high 7 0.6.1
WS-2018-0111 base64-url high 7 2.0.0
WS-2016-0037 negotiator high 7 0.6.1
WS-2016-0017 negotiator high 7 0.6.1
WS-2018-0111 base64-url high 7 2.0.0
WS-2017-0314 fresh high 7 None
CVE-2017-16119 fresh high 7 None
WS-2017-0328 method-override high 7 None
WS-2016-0037 negotiator high 7 0.6.1
WS-2016-0017 negotiator high 7 0.6.1
WS-2017-0330 mime high 7 None
CVE-2017-16138 mime high 7 None
WS-2016-0017 /app/bundle/programs/server/npm/node_modules/negotiator/lib/language.js high 7.5 0.6.1
CVE-2018-3774 /app/bundle/programs/server/npm/node_modules/url-parse/index.js high 8 None
CVE-2018-12699 binutils high 7.5 None


#10

Well I guess good news is alpine seems to have removed most of the container level issues. But a lot of things in the npm packages.

@rodrigo.nascimento @diego.sampaio :top: just so on your radar.


#11

Would I include this inside your file if I wanted to update base64url and sshpk and the rest of the vulnerabilities? Look at the end of the file…this is just an example.

FROM node:8.12-alpine

RUN apk add python make g++ libc6-compat ttf-dejavu

ADD . /app

RUN set -x \
 && cd /app/bundle/programs/server \
 && npm install \
 && npm cache clear --force \
 && npm update base64url@2.2.0 \
 && npm update sshpk@1.15.2 \

#12

Technically yes… but doing so could have unintended side effects


#13

How could we fix those vulnerabilities? So the image has none when scanned by Aqua?


#14

Clone source, update the dependencies that have the vulnerabilities. Test that nothing breaks… then open a PR and get those changes merged. Of course before hand building bundle and image and running through aqua.


#15

Recent update!
Here is the dockerfile we created that now has:

  • 12 High

  • 74 Medium

  • 12 Low

  • 74 Negligible
    These are the Highs
    WS-2015-0012
    WS-2017-0422
    CVE-2017-16111
    WS-2017-0306
    CVE-2016-2515
    WS-2018-0085
    WS-2018-0084

    FROM node:8.15-slim
    
    RUN echo 'Acquire::http::Proxy "http://proxy";' >> /etc/apt/apt.conf && \
      echo 'Acquire::https::Proxy "http://proxy";' >> /etc/apt/apt.conf && \
      export https_proxy=http://proxy && \
      export http_proxy=http://proxy && \
      export no_proxy='localhost,127.0.0.1,*.amazonaws.com' && \
      apt-get update && \
      apt-get upgrade -y && \
      apt-get install libcurl3 python make g++ build-essential git-core ca-certificates -y && \
      apt-get autoremove -y
    
    RUN groupadd -r rocketchat \
    &&  useradd -r -g rocketchat rocketchat \
    &&  mkdir -p /app/uploads \
    &&  chown rocketchat.rocketchat /app/uploads
    
    VOLUME /app/uploads
    
    RUN export https_proxy=http://proxy && \
      export http_proxy=http://proxy && \
      export no_proxy='localhost,127.0.0.1,*.amazonaws.com' && \
      gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0E163286C20D07B9787EBE9FD7F9D0414FD08104
    
    ENV RC_VERSION 0.73.2
    
    WORKDIR /app
    
    RUN export https_proxy=http://proxy && \
      export http_proxy=http://proxy && \
      export no_proxy='localhost,127.0.0.1,*.amazonaws.com' && \
      curl -fSL "https://github.com/RocketChat/Rocket.Chat/archive/0.73.2.tar.gz" -o rocket.chat.tgz && \
      tar zxf rocket.chat.tgz && \
      cd Rocket.Chat-${RC_VERSION}/server && ls -al && \
      npm install
    
    USER rocketchat
    WORKDIR /app/bundle
    # needs a mongoinstance - defaults to container linking with alias 'db'
    ENV DEPLOY_METHOD=docker-official \
        MONGO_URL=mongodb://db:27017/meteor \
        HOME=/tmp \
        PORT=3000 \
        ROOT_URL=http://localhost:3000 \
        Accounts_AvatarStorePath=/app/uploads
    
    EXPOSE 3000
    
    CMD ["node", "main.js"]
    
    # Aqua microscanner section for quick scanning
    #USER root
    #RUN export https_proxy=http://proxy && \
    #  export http_proxy=http://proxy && \
    #  curl -fSL https://get.aquasec.com/microscanner -o microscanner
    #RUN chmod +x microscanner
    #ARG token
    #RUN export https_proxy=http://proxy && \
    #  export http_proxy=http://proxy && \
    #  ./microscanner ${token} --continue-on-failure && rm -f microscanner

#16

The problem we are having with the image i posted is that the CMD cannot find the main.js. What would we change the CMD line to so RC will work? The image builds but not the container / service when you use the image. I know the WORKDIR has to change because when you unzip the tar file the files change. BUT I have not found a main.js that would work. What other file should we use to get RC up and running in the CMD section?

Error we get

module.js:549

throw err;

^

Error: Cannot find module ‘/app/bundle/main.js’

at Function.Module._resolveFilename (module.js:547:15)

at Function.Module._load (module.js:474:25)

at Function.Module.runMain (module.js:693:10)

at startup (bootstrap_node.js:191:16)

at bootstrap_node.js:612:3


#17

Can you post your updated dockerfile? Might be able to help you track down the issue