787fe1f702
External security audit of KNEL-AIMiddleware before release: - FINAL-REPORT.md: Executive summary, risk assessment, remediation roadmap - 01-dockerfile-security.md: 38/40 containers run as root (HIGH) - 02-shell-script-security.md: 83 missing set -e/u directives (HIGH) - 03-docker-compose-security.md: 3 privileged services documented (MEDIUM) - 04-secrets-audit.md: PASS - no hardcoded secrets found - 05-vulnerability-scan.md: 14+ CVEs, 1 CRITICAL OpenSSL (golang:1.23-alpine) Assessment: CONDITIONAL PASS for release 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>
7.8 KiB
7.8 KiB
Base Image Vulnerability Scan
Date: 2026-02-20 Auditor: External Security Review Tool: Aqua Trivy (latest) Scope: Base images used in project Dockerfiles
Executive Summary
| Base Image | HIGH | CRITICAL | Total | Status |
|---|---|---|---|---|
| alpine:3.20 | 0 | 0 | 0 | CLEAN |
| python:3.12-slim | 2 | 0 | 2 | ACTION REQUIRED |
| node:22-slim | 2 | 1 | 3+ | ACTION REQUIRED |
| debian:bookworm-slim | 2 | 1 | 3 | ACTION REQUIRED |
| golang:1.23-alpine | 4 | 2 | 6 | ACTION REQUIRED |
Overall Risk Level: MEDIUM
Detailed Findings
1. alpine:3.20
Status: CLEAN Vulnerabilities: 0 HIGH/CRITICAL
Report Summary
┌─────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────┼────────┼─────────────────┼─────────┤
│ alpine:3.20 (alpine 3.20.9) │ alpine │ 0 │ - │
└─────────────────────────────┴────────┴─────────────────┴─────────┘
Recommendation: Preferred base image for new containers.
2. python:3.12-slim (debian 13.3)
Status: ACTION REQUIRED Vulnerabilities: 2 HIGH, 0 CRITICAL
| Library | CVE | Severity | Status | Title |
|---|---|---|---|---|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc: Integer overflow in memalign leads to heap corruption |
| libc6 | CVE-2026-0861 | HIGH | affected | glibc: Integer overflow in memalign leads to heap corruption |
Analysis:
- glibc vulnerability CVE-2026-0861 affects memory allocation
- No fix currently available from Debian
- Risk: Low for containerized workloads (no untrusted memory allocation)
Recommendation:
- Monitor for security updates
- Consider Alpine-based Python images if risk is unacceptable
3. node:22-slim (debian 12.13)
Status: ACTION REQUIRED Vulnerabilities: 2 HIGH, 1 CRITICAL (OS) + 14 HIGH (Node packages)
OS-Level Vulnerabilities
| Library | CVE | Severity | Status | Title |
|---|---|---|---|---|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| libc6 | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| zlib1g | CVE-2023-45853 | CRITICAL | will_not_fix | zlib heap-based buffer overflow |
Node Package Vulnerabilities
| Package | CVE | Severity | Installed | Fixed | Issue |
|---|---|---|---|---|---|
| glob | CVE-2025-64756 | HIGH | 10.4.5 | 11.1.0 | Command Injection via Malicious Filenames |
| minimatch | CVE-2026-26996 | HIGH | 9.0.5 | 10.2.1 | ReDoS via repeated wildcards |
| tar | CVE-2026-23745 | HIGH | 6.2.1, 7.4.3 | 7.5.3 | Arbitrary file overwrite and symlink poisoning |
| tar | CVE-2026-23950 | HIGH | 6.2.1, 7.4.3 | 7.5.4 | Arbitrary file overwrite via Unicode path collision |
| tar | CVE-2026-24842 | HIGH | 6.2.1, 7.4.3 | 7.5.7 | Arbitrary file creation via path traversal bypass |
| tar | CVE-2026-26960 | HIGH | 6.2.1, 7.4.3 | 7.5.8 | Multiple issues with default options |
Analysis:
- zlib CVE-2023-45853 marked "will_not_fix" - architectural limitation in Debian
- Node tar package has multiple critical file system vulnerabilities
- These are build-time dependencies, reducing runtime risk
Recommendation:
- HIGH PRIORITY: Update tar package to 7.5.8+
- HIGH PRIORITY: Update glob to 11.1.0+ or 10.5.0+
- Monitor for Debian zlib security advisory
4. debian:bookworm-slim (debian 12.13)
Status: ACTION REQUIRED Vulnerabilities: 2 HIGH, 1 CRITICAL
| Library | CVE | Severity | Status | Title |
|---|---|---|---|---|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| libc6 | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| zlib1g | CVE-2023-45853 | CRITICAL | will_not_fix | zlib heap-based buffer overflow |
Analysis:
- Same vulnerabilities as node:22-slim (same Debian base)
- zlib vulnerability won't be fixed in Debian 12
Recommendation:
- Consider migrating to Alpine or Debian 13
- Monitor security advisories
5. golang:1.23-alpine (alpine 3.22.1)
Status: ACTION REQUIRED Vulnerabilities: 4 HIGH, 2 CRITICAL
| Library | CVE | Severity | Status | Fixed Version | Title |
|---|---|---|---|---|---|
| libcrypto3 | CVE-2025-15467 | CRITICAL | fixed | 3.5.5-r0 | OpenSSL: Remote code execution or DoS |
| libssl3 | CVE-2025-15467 | CRITICAL | fixed | 3.5.5-r0 | OpenSSL: Remote code execution or DoS |
Additional vulnerabilities: 4 HIGH related to Go toolchain (affects build only)
Analysis:
- OpenSSL CVE-2025-15467 is CRITICAL with RCE potential
- Fix available (3.5.5-r0) but current image uses 3.5.1-r0
- This is a significant security issue
Recommendation:
- CRITICAL PRIORITY: Update base image or rebuild with updated packages
- Alpine 3.22.1 should be updated to include OpenSSL fix
Risk Assessment Matrix
| CVE | CVSS | Exploitability | Container Impact | Overall Risk |
|---|---|---|---|---|
| CVE-2025-15467 (OpenSSL) | CRITICAL | High | High | CRITICAL |
| CVE-2023-45853 (zlib) | CRITICAL | Low | Medium | HIGH |
| CVE-2026-0861 (glibc) | HIGH | Low | Low | MEDIUM |
| CVE-2025-64756 (glob) | HIGH | Medium | Medium | HIGH |
| CVE-2026-23745 (tar) | HIGH | Medium | High | HIGH |
Remediation Priority
Immediate (Before Release)
- Update golang:1.23-alpine - OpenSSL RCE vulnerability
- Update Node tar package in affected images - Multiple file system vulnerabilities
Short Term (Post-Release)
- Update Node glob and minimatch packages
- Monitor glibc CVE-2026-0861 for patches
- Evaluate Alpine-based alternatives for Python images
Long Term
- Implement automated base image scanning in CI/CD
- Create base image update policy (monthly refresh)
- Consider distroless images for production
Base Image Recommendations
For New Services
-
Prefer Alpine (alpine:3.20) - currently clean
-
Pin to digest for reproducibility:
FROM alpine:3.20@sha256:exact-digest-here -
Avoid images with unfixed vulnerabilities
Image Selection Priority
alpine:3.20- CLEANpython:3.12-slim- 2 HIGH (glibc, no fix)node:22-slim- Multiple HIGH/CRITICALdebian:bookworm-slim- Multiple HIGH/CRITICALgolang:1.23-alpine- CRITICAL OpenSSL (fix available)
CI/CD Integration Recommendation
# Example GitLab CI
container_scan:
image: aquasec/trivy:latest
script:
- trivy image --severity HIGH,CRITICAL --exit-code 1 $IMAGE
only:
- main
- merge requests
Scanning Methodology
# Commands used
docker pull aquasec/trivy:latest
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet alpine:3.20
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet python:3.12-slim
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet node:22-slim
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet debian:bookworm-slim
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet golang:1.23-alpine
Positive Findings
- Alpine images are clean - Good baseline option available
- Fixes available for most vulnerabilities
- No secrets in images - Confirmed by Trivy scan
- Reasonable image selection - Using official images