KNEL-AIMiddleware/docs/audit/2026-02-20/05-vulnerability-scan.md

# Base Image Vulnerability Scan

**Date:** 2026-02-20
**Auditor:** External Security Review
**Tool:** Aqua Trivy (latest)
**Scope:** Base images used in project Dockerfiles

## Executive Summary

| Base Image | HIGH | CRITICAL | Total | Status |
|------------|------|----------|-------|--------|
| alpine:3.20 | 0 | 0 | 0 | CLEAN |
| python:3.12-slim | 2 | 0 | 2 | ACTION REQUIRED |
| node:22-slim | 2 | 1 | 3+ | ACTION REQUIRED |
| debian:bookworm-slim | 2 | 1 | 3 | ACTION REQUIRED |
| golang:1.23-alpine | 4 | 2 | 6 | ACTION REQUIRED |

**Overall Risk Level:** MEDIUM

---

## Detailed Findings

### 1. alpine:3.20

**Status:** CLEAN
**Vulnerabilities:** 0 HIGH/CRITICAL

```
Report Summary
┌─────────────────────────────┬────────┬─────────────────┬─────────┐
│           Target            │  Type  │ Vulnerabilities │ Secrets │
├─────────────────────────────┼────────┼─────────────────┼─────────┤
│ alpine:3.20 (alpine 3.20.9) │ alpine │        0        │    -    │
└─────────────────────────────┴────────┴─────────────────┴─────────┘
```

**Recommendation:** Preferred base image for new containers.

---

### 2. python:3.12-slim (debian 13.3)

**Status:** ACTION REQUIRED
**Vulnerabilities:** 2 HIGH, 0 CRITICAL

| Library | CVE | Severity | Status | Title |
|---------|-----|----------|--------|-------|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc: Integer overflow in memalign leads to heap corruption |
| libc6 | CVE-2026-0861 | HIGH | affected | glibc: Integer overflow in memalign leads to heap corruption |

**Analysis:**
- glibc vulnerability CVE-2026-0861 affects memory allocation
- No fix currently available from Debian
- Risk: Low for containerized workloads (no untrusted memory allocation)

**Recommendation:** 
- Monitor for security updates
- Consider Alpine-based Python images if risk is unacceptable

---

### 3. node:22-slim (debian 12.13)

**Status:** ACTION REQUIRED
**Vulnerabilities:** 2 HIGH, 1 CRITICAL (OS) + 14 HIGH (Node packages)

#### OS-Level Vulnerabilities

| Library | CVE | Severity | Status | Title |
|---------|-----|----------|--------|-------|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| libc6 | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| zlib1g | CVE-2023-45853 | CRITICAL | will_not_fix | zlib heap-based buffer overflow |

#### Node Package Vulnerabilities

| Package | CVE | Severity | Installed | Fixed | Issue |
|---------|-----|----------|-----------|-------|-------|
| glob | CVE-2025-64756 | HIGH | 10.4.5 | 11.1.0 | Command Injection via Malicious Filenames |
| minimatch | CVE-2026-26996 | HIGH | 9.0.5 | 10.2.1 | ReDoS via repeated wildcards |
| tar | CVE-2026-23745 | HIGH | 6.2.1, 7.4.3 | 7.5.3 | Arbitrary file overwrite and symlink poisoning |
| tar | CVE-2026-23950 | HIGH | 6.2.1, 7.4.3 | 7.5.4 | Arbitrary file overwrite via Unicode path collision |
| tar | CVE-2026-24842 | HIGH | 6.2.1, 7.4.3 | 7.5.7 | Arbitrary file creation via path traversal bypass |
| tar | CVE-2026-26960 | HIGH | 6.2.1, 7.4.3 | 7.5.8 | Multiple issues with default options |

**Analysis:**
- zlib CVE-2023-45853 marked "will_not_fix" - architectural limitation in Debian
- Node tar package has multiple critical file system vulnerabilities
- These are build-time dependencies, reducing runtime risk

**Recommendation:**
- **HIGH PRIORITY:** Update tar package to 7.5.8+
- **HIGH PRIORITY:** Update glob to 11.1.0+ or 10.5.0+
- Monitor for Debian zlib security advisory

---

### 4. debian:bookworm-slim (debian 12.13)

**Status:** ACTION REQUIRED
**Vulnerabilities:** 2 HIGH, 1 CRITICAL

| Library | CVE | Severity | Status | Title |
|---------|-----|----------|--------|-------|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| libc6 | CVE-2026-0861 | HIGH | affected | glibc integer overflow |
| zlib1g | CVE-2023-45853 | CRITICAL | will_not_fix | zlib heap-based buffer overflow |

**Analysis:**
- Same vulnerabilities as node:22-slim (same Debian base)
- zlib vulnerability won't be fixed in Debian 12

**Recommendation:**
- Consider migrating to Alpine or Debian 13
- Monitor security advisories

---

### 5. golang:1.23-alpine (alpine 3.22.1)

**Status:** ACTION REQUIRED
**Vulnerabilities:** 4 HIGH, 2 CRITICAL

| Library | CVE | Severity | Status | Fixed Version | Title |
|---------|-----|----------|--------|---------------|-------|
| libcrypto3 | CVE-2025-15467 | CRITICAL | fixed | 3.5.5-r0 | OpenSSL: Remote code execution or DoS |
| libssl3 | CVE-2025-15467 | CRITICAL | fixed | 3.5.5-r0 | OpenSSL: Remote code execution or DoS |

**Additional vulnerabilities:** 4 HIGH related to Go toolchain (affects build only)

**Analysis:**
- OpenSSL CVE-2025-15467 is CRITICAL with RCE potential
- Fix available (3.5.5-r0) but current image uses 3.5.1-r0
- This is a significant security issue

**Recommendation:**
- **CRITICAL PRIORITY:** Update base image or rebuild with updated packages
- Alpine 3.22.1 should be updated to include OpenSSL fix

---

## Risk Assessment Matrix

| CVE | CVSS | Exploitability | Container Impact | Overall Risk |
|-----|------|----------------|------------------|--------------|
| CVE-2025-15467 (OpenSSL) | CRITICAL | High | High | CRITICAL |
| CVE-2023-45853 (zlib) | CRITICAL | Low | Medium | HIGH |
| CVE-2026-0861 (glibc) | HIGH | Low | Low | MEDIUM |
| CVE-2025-64756 (glob) | HIGH | Medium | Medium | HIGH |
| CVE-2026-23745 (tar) | HIGH | Medium | High | HIGH |

---

## Remediation Priority

### Immediate (Before Release)

1. **Update golang:1.23-alpine** - OpenSSL RCE vulnerability
2. **Update Node tar package** in affected images - Multiple file system vulnerabilities

### Short Term (Post-Release)

3. **Update Node glob and minimatch** packages
4. **Monitor glibc CVE-2026-0861** for patches
5. **Evaluate Alpine-based alternatives** for Python images

### Long Term

6. **Implement automated base image scanning** in CI/CD
7. **Create base image update policy** (monthly refresh)
8. **Consider distroless images** for production

---

## Base Image Recommendations

### For New Services

1. **Prefer Alpine** (alpine:3.20) - currently clean
2. **Pin to digest** for reproducibility:
   ```dockerfile
   FROM alpine:3.20@sha256:exact-digest-here
   ```

3. **Avoid images with unfixed vulnerabilities**

### Image Selection Priority

1. `alpine:3.20` - CLEAN
2. `python:3.12-slim` - 2 HIGH (glibc, no fix)
3. `node:22-slim` - Multiple HIGH/CRITICAL
4. `debian:bookworm-slim` - Multiple HIGH/CRITICAL
5. `golang:1.23-alpine` - CRITICAL OpenSSL (fix available)

---

## CI/CD Integration Recommendation

```yaml
# Example GitLab CI
container_scan:
  image: aquasec/trivy:latest
  script:
    - trivy image --severity HIGH,CRITICAL --exit-code 1 $IMAGE
  only:
    - main
    - merge requests
```

---

## Scanning Methodology

```bash
# Commands used
docker pull aquasec/trivy:latest

docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet alpine:3.20
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet python:3.12-slim
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet node:22-slim
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet debian:bookworm-slim
docker run --rm aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet golang:1.23-alpine
```

---

## Positive Findings

1. **Alpine images are clean** - Good baseline option available
2. **Fixes available** for most vulnerabilities
3. **No secrets in images** - Confirmed by Trivy scan
4. **Reasonable image selection** - Using official images