Distroless base image vulnerability [December 21, 2020] #661
Description
Hello,
We are using gcr.io/distroless/base as a base image for some applications. As per the last upload time December 21, 2020 at 6:26:30 PM UTC+1:
FROM gcr.io/distroless/base@sha256:0c5d357a80ab1315ef55f05be174a82e10d09fb2fd7dfcc3c44ebdde6f10c51e
we can see that there is 29 open CVEs (reported by goog-vulnz provider):
| Effective severity | CVSS | Fix available | Package | Documentation |
|---|---|---|---|---|
| High | 7.2 | — | glib c | CVE-2018-1000001 |
| High | 7.5 | — | glib c | CVE-2019-9169 |
| High | 7.5 | — | glib c | CVE-2018-6551 |
| High | 7.5 | — | glib c | CVE-2018-6485 |
| Medium | 5 | — | glib c | CVE-2009-5155 |
| Medium | 5.9 | — | glib c | CVE-2020-1751 |
| Medium | 4.6 | — | glib c | CVE-2016-10739 |
| Medium | 4.3 | — | glib c | CVE-2017-12132 |
| Low | 5 | — | glib c | CVE-2019-9192 |
| Low | 5 | — | glib c | CVE-2010-4051 |
| Low | 5 | — | glib c | CVE-2018-20796 |
| Low | 5 | — | glib c | CVE-2019-1010025 |
| Low | 3.7 | — | glib c | CVE-2020-1752 |
| Low | 5.8 | — | openssl | CVE-2007-6755 |
| Low | 4 | — | glib c | CVE-2010-4756 |
| Low | 2.1 | — | glib c | CVE-2019-19126 |
| Low | 5 | — | openssl | CVE-2019-1551 |
| Low | 6.8 | — | glib c | CVE-2020-6096 |
| Low | 4.6 | — | glib c | CVE-2019-6488 |
| Low | 5 | — | glib c | CVE-2019-1010024 |
| Low | 7.5 | — | glib c | CVE-2019-1010022 |
| Low | 4 | — | openssl | CVE-2010-0928 |
| Low | 4.3 | — | glib c | CVE-2016-10228 |
| Low | 6.8 | — | glib c | CVE-2019-1010023 |
| Low | 4.3 | — | glib c | CVE-2015-8985 |
| Low | 5 | — | glib c | CVE-2010-4052 |
| Low | 2.1 | — | glib c | CVE-2020-10029 |
| Low | 2.1 | — | glib c | CVE-2019-7309 |
| Unspecified | 0 | — | glib c | CVE-2020-27618 |
After looking at this answer, we can see that there is some CVEs that have been fixed in debian:buster but not in distroless:
CVE-2018-1000001
CVE-2019-9169
CVE-2018-6551
CVE-2018-6485
CVE-2009-5155
CVE-2016-10739
CVE-2015-8985
Best,