修复Azure ACR的漏洞

时间:2020-07-24 14:14:49

标签: docker security azure-container-service azure-container-registry clair

有人可以提供有关如何修复Clar使用我的Azure ACR图像的克莱尔扫描仪发现的漏洞的建议。我还是刚接触容器。

这里是Klar结果的样本

Found in: apparmor [2.10.95-0ubuntu2.11]
Fixed By: 
In all versions of AppArmor mount rules are accidentally widened when compiled.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585
-----------------------------------------
CVE-2020-3810: [Medium] 
Found in: apt [1.2.32]
Fixed By: 1.2.32ubuntu0.1
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-3810
-----------------------------------------
CVE-2018-11237: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237
-----------------------------------------
CVE-2018-6485: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485
-----------------------------------------
CVE-2017-18269: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-18269
-----------------------------------------
CVE-2020-1751: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
-----------------------------------------```

1 个答案:

答案 0 :(得分:0)

要修复容器映像中的漏洞错误,通常通常只需通过使用您所使用的基础映像的更新版本来更新FROM语句,即可简单地重新编译映像。

例如https://hub.docker.com/_/ubuntu?tab=tags

如您所见,该图像的更新频率很高。

如果您使用的是特定标签(或最新标签),则可能需要从本地构建机器(例如docker rmi)删除映像,以强制docker守护程序在下一个docker build命令中重新提取映像

相关问题
最新问题