Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in PostgreSQL Image: Request for Guidance #138

Closed
SanduDS opened this issue Jan 20, 2025 · 7 comments
Closed

Security Vulnerabilities in PostgreSQL Image: Request for Guidance #138

SanduDS opened this issue Jan 20, 2025 · 7 comments

Comments

@SanduDS
Copy link

SanduDS commented Jan 20, 2025

Issue Description

We are using the PostgreSQL image (17) based on Debian OS (Bookworm) with CloudNativePG in our Kubernetes cluster. While scanning the image for vulnerabilities, we identified several critical issues. We need guidance from the CNPG community to address these vulnerabilities in the image version used by CNPG.

Critical Vulnerabilities Identified

  1. CVE-2023-45853:

    • Package: zlib1g
    • Description: Integer overflow in zipOpenNewFileInZip4_6 leads to a heap-based buffer overflow.
    • Severity: Critical
    • Status: will_not_fix

  2. CVE-2023-24538:

    • Package: Go runtime (html/template)
    • Description: Backticks are not treated as string delimiters, which may allow code injection.
    • Severity: Critical
    • Status: Fixed in Go v1.18.2, v1.19.8, v1.20.3

  3. CVE-2023-24540:

    • Package: Go runtime (html/template)
    • Description: Improper handling of JavaScript whitespace could allow XSS attacks.
    • Severity: Critical
    • Status: Fixed in Go v1.19.9, v1.20.4

  4. CVE-2024-24790:

    • Package: Go runtime (net/netip)
    • Description: Unexpected behavior in Is methods for IPv4-mapped IPv6 addresses could bypass IP-based restrictions.
    • Severity: High
    • Status: Fixed in Go v1.21.11, v1.22.4

Impact on Cluster Security

While PostgreSQL itself is not directly impacted, associated vulnerabilities in the image pose a risk:

  • Possible code injection or XSS attacks from Go-based utilities using vulnerable html/template.
  • Improper IP-based access control due to net/netip issues.
  • Heap-based buffer overflow risk from zlib, potentially allowing malicious data processing.

Request for Guidance

  1. Are there updated PostgreSQL images compatible with CNPG that address these vulnerabilities?
  2. If not, what is the recommended approach to mitigate these issues in the current image version?
  3. Should we consider custom-building an image with patched dependencies? If so, are there any best practices for ensuring compatibility with CNPG?

Environment Details

  • CNPG Version: 1.25.0
  • PostgreSQL Image Version: 17.2-28-bookworm

We look forward to the community's insights and recommendations. Thank you!
@sathieu sathieu mentioned this issue Jan 22, 2025
Open
@sathieu
Copy link

sathieu commented Jan 22, 2025

Possible way forward: use alpine (#78), but it currently has the same number of vulnerabilities:

Image

Image

ref

@gbartolini
Copy link
Contributor

@SanduDS, we are transitioning away from the official Postgres image and are now in the process of approving a new build process that includes Software Bill of Materials (SBOMs) and signatures. Currently, the images are published in the "postgresql-testing" repository. Could you please evaluate them?

For example, you can check ghcr.io/cloudnative-pg/postgresql-testing:17.2-202501221134-minimal-bookworm.

Thank you!

@SanduDS
Copy link
Author

SanduDS commented Feb 21, 2025

@SanduDS, we are transitioning away from the official Postgres image and are now in the process of approving a new build process that includes Software Bill of Materials (SBOMs) and signatures. Currently, the images are published in the "postgresql-testing" repository. Could you please evaluate them?

For example, you can check ghcr.io/cloudnative-pg/postgresql-testing:17.2-202501221134-minimal-bookworm.

Thank you!

@gbartolini Are you confident enough to recommend images published under postgresql-testing to be used in production deployments?
Asking this, simply because all images are currently published under a repo name having -testing phrase.

@sxd
Copy link
Member

sxd commented Mar 7, 2025

Closing this, the new images are better and already in production. Please if there's any further issues, open a new issue

@sxd sxd closed this as completed Mar 7, 2025
@cthtrifork
Copy link

@sxd
What has been improved? Are you referring to SBOM or has there been any updates on vulnerabilities?

Image

@sxd
Copy link
Member

sxd commented Mar 7, 2025

@cthtrifork yes, but if you share a screenshot I can't tell you what was the CVE in question, and you should point thae CVE not a messages saying "vulnerabilities", also, keep in mind that we cannot fix CVEs in the OS.
On the other hand, please if you find something create a proper issue for this

@cthtrifork
Copy link

cthtrifork commented Mar 7, 2025
edited
Loading

Ah the information of your referred changes is available here:
https://github.com/cloudnative-pg/postgres-containers?tab=readme-ov-file#standard-images

Image

Looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gbartolini @sathieu @sxd @SanduDS @cthtrifork