3.1.16-buster-slim CVE-2021-3520 Critical Issue Question

[KinPatelHub]

Team,

Does the latest .NET CORE 3.1.16-buster-slim image takes care of the CVE-2021-3520 Critical issue reported? I was using 3.1.14-buster-slim and twistlock started complaining about the latest critical issue. I had updated to 3.1.16-buster-slim which was updated most recently and twistlock scans still complains about this issue. Can someone please guide here?

Thanks,
Kinjal

[mthalman]

The vulnerable package in question is lz4. This package is not installed by .NET and instead comes from the Debian base image. It contains version 1.8.3-1 instead of the fixed version 1.8.3-1+deb10u1. Once it is updated in the Debian base image, we'll rebuild the affected .NET images.

❯ docker pull debian:buster-slim
buster-slim: Pulling from library/debian
Digest: sha256:f077cd32bfea6c4fa8ddeea05c53b27e90c7fad097e2011c9f5f11a8668f8db4
Status: Image is up to date for debian:buster-slim
docker.io/library/debian:buster-slim

❯ docker run --rm debian:buster-slim apt list liblz4-1

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Listing...
liblz4-1/now 1.8.3-1 amd64 [installed,local]

[KinPatelHub]

Thanks Matt! In this case, everyone who would be using this image at this point of time would be blocked isn't it? On one side security scan fails due to this critical issue and other side we don't have an updated image which takes care of this fix. Do you have any suggestions in the mean time as I don't know when Debian base image will be updated.

[mthalman]

It's only blocking if your workflow prevents it from being used. That's not the case for every organization. Given the lack of urgency in getting this updated in the Debian container images, I wonder whether the vulnerability is even exploitable in that environment. In any case, this is an issue to take up with Debian. I would also highly recommend reading our blog post about CVEs and evaluating their applicability.

[KinPatelHub]

Got it. Thank!