zlib vulnerability in image

moonking · 03-07-2023 06:34 PM

Hello,

I recently noticed that some of the artifact registry images have been tagged with zlib vulnerability. I am not sure how to upgrade to newer version. I do not have much experience with this, any pointer?

Please lt me know if you need specific information.

The fix seems to be there in the OS, why are the new builds not getting them automatically?

devenes

Hello @moonking,

The alpine:3.15 image is vulnerable to the zlib CVE-2022-37434.

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. Note that only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). You can find detailed information about this security vulnerability here: Out-of-bounds Write, CVE-2022-37434 Detail.

While this issue has been resolved in some versions of the alpine image, it remains open in others. You can review the following GitHub issues for more information:

https://github.com/alpinelinux/docker-alpine/issues/290
https://github.com/alpinelinux/docker-alpine/issues/279
https://github.com/alpinelinux/docker-alpine/issues/276

The Alpine Linux project has announced that releases 3.13.12, 3.14.8, 3.15.6, and 3.16.2 fix the zlib CVE-2022-37434 vulnerability. You can find more information here: https://www.alpinelinux.org/posts/Alpine-3.13.12-3.14.8-3.15.6-3.16.2-released.html