Hello,
I've encountered a security dispute while working with nodejs and I'd appreciate the opinions of the Alpine community and maintainers on this important subject.
I've recently upgraded my nodejs package version to v12.20.1 on my Alpine image, through Alpine's package manager (release notes of node community: https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the release notes, one of the vulnerabilities that is fixed in this version, is CVE-2020-8265.
I've also upgraded my Alpine image to Alpine v3.13. However, looking into Alpine's v3.13 release notes (here: https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable) you'll see that this same vulnerability appears to be fixed only in nodejs v14.15.4-r0.
I am running a vulnerability scanner on my Alpine 3.13 image, and it identifies CVE-2020-8265, even though it was supposed to be fixed in as early as nodejs v12.20.1, according to the node community.
And therefore - the dispute.
My question: Should I consider this vulnerability a false positive, and follow the release notes of node? Or should I use Alpine's determination and upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed? Why does Alpine state the fix for said vulnerability exists in v14.15.4-r0 of nodejs, whereas the node maintainers indicate the fix is present in an earlier version?
Thank you very much!
Nir
Hello,
On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:
> Hello,> > I've encountered a security dispute while working with nodejs and I'd appreciate the opinions of the Alpine community and maintainers on this important subject.
I am presently in charge of the security team in Alpine, which maintains
the security database we publish.
> I've recently upgraded my nodejs package version to v12.20.1 on my Alpine image, through Alpine's package manager (release notes of node community: https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the release notes,> one of the vulnerabilities that is fixed in this version, is CVE-2020-8265.> > > > I've also upgraded my Alpine image to Alpine v3.13. However, looking into Alpine's v3.13 release notes (here: https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable) you'll see that this same vulnerability> appears to be fixed only in nodejs v14.15.4-r0.> > > > I am running a vulnerability scanner on my Alpine 3.13 image, and it identifies CVE-2020-8265, even though it was supposed to be fixed in as early as nodejs v12.20.1, according to the node community.
Node has multiple maintenance branches, so it is important to
realize that something being fixed in 12.x is therefore unrelated to
whether it has been fixed in 14.x.
Our internal security database lists CVE-2020-8265 as fixed in nodejs
12.20.1-r0 (Alpine 3.12 branch) and 14.15.4-r0 (Alpine 3.13 branch).
I see no reason to disbelieve our security database. It lines up with CPE
data published by the US National Vulnerability Database, which says that
CVE-2020-8265 was fixed in upstream versions 12.20.1 and 14.15.4
respectively.
> And therefore - the dispute.> > > > My question: Should I consider this vulnerability a false positive, and follow the release notes of node? Or should I use Alpine's determination and upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed? Why> does Alpine state the fix for said vulnerability exists in v14.15.4-r0 of nodejs, whereas the node maintainers indicate the fix is present in an earlier version?
This is definitely a false positive. What security scanner are you using?
The vendor may be incorrectly using the security database we publish, this
has happened before.
Ariadne
Hello,
I've encountered a security dispute while working with nodejs and I'd appreciate the opinions of the Alpine community and maintainers on this important subject.
I've recently upgraded my nodejs package version to v12.20.1 on my Alpine image, through Alpine's package manager (release notes of node community: https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the release notes, one of the vulnerabilities that is fixed in this version, is CVE-2020-8265.
I've also upgraded my Alpine image to Alpine v3.13. However, looking into Alpine's v3.13 release notes (here: https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable) you'll see that this same vulnerability appears to be fixed only in nodejs v14.15.4-r0.
I am running a vulnerability scanner on my Alpine 3.13 image, and it identifies CVE-2020-8265, even though it was supposed to be fixed in as early as nodejs v12.20.1, according to the node community.
And therefore - the dispute.
My question: Should I consider this vulnerability a false positive, and follow the release notes of node? Or should I use Alpine's determination and upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed? Why does Alpine state the fix for said vulnerability exists in v14.15.4-r0 of nodejs, whereas the node maintainers indicate the fix is present in an earlier version?
Thank you very much!
Nir
Hello,
On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:
> Hello,> I've encountered a security dispute while working with nodejs and I'd appreciate the opinions of the Alpine community and maintainers on this important subject.>> I've recently upgraded my nodejs package version to v12.20.1 on my Alpine image, through Alpine's package manager (release notes of node community: https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the release notes, one of the vulnerabilities that is fixed in this version, is CVE-2020-8265.>> I've also upgraded my Alpine image to Alpine v3.13. However, looking into Alpine's v3.13 release notes (here: https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable) you'll see that this same vulnerability appears to be fixed only in nodejs v14.15.4-r0.>> I am running a vulnerability scanner on my Alpine 3.13 image, and it identifies CVE-2020-8265, even though it was supposed to be fixed in as early as nodejs v12.20.1, according to the node community.>> And therefore - the dispute.>> My question: Should I consider this vulnerability a false positive, and follow the release notes of node? Or should I use Alpine's determination and upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed? Why does Alpine state the fix for said vulnerability exists in v14.15.4-r0 of nodejs, whereas the node maintainers indicate the fix is present in an earlier version?
Please see my previous response:
https://lists.alpinelinux.org/~alpine/devel/%3CAM6PR03MB471180AD19195D25E1BC462AB3409%40AM6PR03MB4711.eurprd03.prod.outlook.com%3E#%3Ccabebb1a-591d-efd1-31da-e690dad14@dereferenced.org%3E
Thanks,
Ariadne
Hello,
On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:
> Hi Ariadne, and thank you very much for your quick response.>> I am asking this on behalf of one of our customers. I've used three different scanners, all yield the same result, identifying nodejs v12.20.1 as vulnerable in Alpine 3.13, and recommending to upgrade it to v14.15.4-r0, where it is fixed.>> The reason why the scanners behave this way is due to the information listed on this page:https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable. If you scroll down to rows 18-19, you'll see this:> +# 14.15.4-r0:> +# - CVE-2020-8265> +# - CVE-2020-8287>> Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on Alpine's 3.13 branch. I did not find any place indicating that nodejs v12.20.1 also contains the fix in Alpine branch 3.13.
It appears that your scanners are probably using our security databases
incorrectly, or at least making the wrong assumptions about how the
version lifecycle works in secfixes land.
To explain: we publish security databases for every branch of Alpine,
these can be fetched at https://secdb.alpinelinux.org/. These databases
are compiled from the perspective of each branch. Or in other words, they
only describe versions that are published in that branch.
Incidentally, one or more security companies are presently scraping our
cgit instance for this information. It may be that you have stale
information about the v3.13 branch if your security scanners were doing
this, as we have recently taken action to stop abuse of our cgit instance
for this purpose. In that case, see the above note about
secdb.alpinelinux.org and you will have more reliable data.
Anyway, Alpine 3.13 does not credit v12.20.1 with the fix for
CVE-2020-8265 because that version was never published in Alpine 3.13,
only Alpine 3.12.
Each security database publishes information based on what packages have
been published in that branch.
You may also wish to look at our security database viewer at
https://security.alpinelinux.org/vuln/CVE-2020-8265, which shows both
Alpine 3.12 and 3.13 having fixes in their respective versions of Node.
You can query that as a webservice, by sending the `Accept:
application/ld+json` header, in which case you will be presented with
parts of a JSON-LD graph containing the relevant data. Please be kind
when querying that webservice though. The software powering it is public,
and you should run your own instance of it if you decide to make bulk
queries.
Ariadne
Hello,
On Wed, 28 Apr 2021, Ariadne Conill wrote:
> Hello,>> On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:>>> Hi Ariadne, and thank you very much for your quick response.>> >> I am asking this on behalf of one of our customers. I've used three >> different scanners, all yield the same result, identifying nodejs v12.20.1 >> as vulnerable in Alpine 3.13, and recommending to upgrade it to >> v14.15.4-r0, where it is fixed.>> >> The reason why the scanners behave this way is due to the information >> listed on this >> page:https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable. >> If you scroll down to rows 18-19, you'll see this:>> +# 14.15.4-r0:>> +# - CVE-2020-8265>> +# - CVE-2020-8287>> >> Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on Alpine's >> 3.13 branch. I did not find any place indicating that nodejs v12.20.1 also >> contains the fix in Alpine branch 3.13.>> It appears that your scanners are probably using our security databases > incorrectly, or at least making the wrong assumptions about how the version > lifecycle works in secfixes land.>> To explain: we publish security databases for every branch of Alpine, these > can be fetched at https://secdb.alpinelinux.org/. These databases are > compiled from the perspective of each branch. Or in other words, they only > describe versions that are published in that branch.>> Incidentally, one or more security companies are presently scraping our cgit > instance for this information. It may be that you have stale information > about the v3.13 branch if your security scanners were doing> this, as we have recently taken action to stop abuse of our cgit instance for > this purpose. In that case, see the above note about secdb.alpinelinux.org> and you will have more reliable data.>> Anyway, Alpine 3.13 does not credit v12.20.1 with the fix for CVE-2020-8265 > because that version was never published in Alpine 3.13, only Alpine 3.12.>> Each security database publishes information based on what packages have been > published in that branch.>> You may also wish to look at our security database viewer at > https://security.alpinelinux.org/vuln/CVE-2020-8265, which shows both Alpine > 3.12 and 3.13 having fixes in their respective versions of Node.
Or they would if the CPE rules matched the actual package name... :)
But you can at least view the CPE rules for that one.
Ariadne
Hey,
I checked https://secdb.alpinelinux.org/v3.13/main.json and https://secdb.alpinelinux.org/v3.13/community.json. As you said, this data should be the most reliable source. Note we are talking about Alpine 3.13.
Here's what I found:
1. "main.json" lists package "nodejs" and lists CVE-2020-8265 as fixed in version 14.15.4-r0. This CVE does not appear anywhere else in this json.
2. "community.json" lists package "nodejs-current" and lists CVE-2020-8265 as fixed in version 15.5.1-r0.
Do you know the reason for the difference?
So... I'm a bit confused. At the beginning you said that the fact we find CVE-2020-8265 on an Alpine 3.13 image, running nodejs v12.20.1 - is a false positive. In your latest message, however, you mention that Alpine 3.13 does not credit v12.20.1 with the fix for CVE-2020-8265 because that version was never published in Alpine 3.13, only Alpine 3.12.
And finally, when looking at the Alpine 3.13 branch in secdb, which is supposed to be reliable, I see information which indicates that the scanners are working correctly. This is what they all do:
1. They identify the OS as Alpine 3.13 - correct. This is the OS the customer is running.
2. They identify a nodejs v12.20.1 APK installed on the machine - correct. This is the package the customer installed.
3. They identify it is vulnerable to CVE-2020-8265. Should be correct because Alpine doesn't credit v12.20.1 with the fix for this CVE, as you said before.
4. They identify Alpine's recommendation to upgrade nodejs to 14.15.4-r0 in order to fix the problem. This is correct according to secdb.alpinelinux.org/v3.13/main.json
I am failing to see what the scanners are doing incorrectly and why you consider this a false positive.
I appreciate your help and support on this.
-----Original Message-----
From: Ariadne Conill <ariadne@dereferenced.org>
Sent: Thursday, April 29, 2021 1:44 AM
To: Ariadne Conill <ariadne@dereferenced.org>
Cc: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>; ~alpine/devel@lists.alpinelinux.org
Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help!
Hello,
On Wed, 28 Apr 2021, Ariadne Conill wrote:
> Hello,>> On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:>>> Hi Ariadne, and thank you very much for your quick response.>> >> I am asking this on behalf of one of our customers. I've used three >> different scanners, all yield the same result, identifying nodejs >> v12.20.1 as vulnerable in Alpine 3.13, and recommending to upgrade it >> to v14.15.4-r0, where it is fixed.>> >> The reason why the scanners behave this way is due to the information >> listed on this >> page:https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.alpinelinux.org%2Faports%2Fblame%2Fmain%2Fnodejs%2FAPKBUILD%3Fh%3D3.13-stable&data=04%7C01%7Cnir.ben-eliezer%40aquasec.com%7C8a62227e268a4500f7de08d90a97252c%7Cbc034cf3566b41ca9f245dc49474b05e%7C0%7C0%7C637552466559824167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=coTcBv%2FszxiKYcSjQ7pIn6MyLLW4BbWytPupW8qBtoQ%3D&reserved=0.>> If you scroll down to rows 18-19, you'll see this:>> +# 14.15.4-r0:>> +# - CVE-2020-8265>> +# - CVE-2020-8287>> >> Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on >> Alpine's>> 3.13 branch. I did not find any place indicating that nodejs v12.20.1 >> also contains the fix in Alpine branch 3.13.>> It appears that your scanners are probably using our security > databases incorrectly, or at least making the wrong assumptions about > how the version lifecycle works in secfixes land.>> To explain: we publish security databases for every branch of Alpine, > these can be fetched at > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecd> b.alpinelinux.org%2F&data=04%7C01%7Cnir.ben-eliezer%40aquasec.com%7C8a62227e268a4500f7de08d90a97252c%7Cbc034cf3566b41ca9f245dc49474b05e%7C0%7C0%7C637552466559824167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aq3vpPQHfiP%2BCOlANUX2ZE3Voa3%2FR0qgnX3Usz5Zqok%3D&reserved=0. These databases are compiled from the perspective of each branch. Or in other words, they only describe versions that are published in that branch.>> Incidentally, one or more security companies are presently scraping > our cgit instance for this information. It may be that you have stale > information about the v3.13 branch if your security scanners were > doing this, as we have recently taken action to stop abuse of our cgit > instance for this purpose. In that case, see the above note about > secdb.alpinelinux.org and you will have more reliable data.>> Anyway, Alpine 3.13 does not credit v12.20.1 with the fix for > CVE-2020-8265 because that version was never published in Alpine 3.13, only Alpine 3.12.>> Each security database publishes information based on what packages > have been published in that branch.>> You may also wish to look at our security database viewer at > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecu> rity.alpinelinux.org%2Fvuln%2FCVE-2020-8265&data=04%7C01%7Cnir.ben> -eliezer%40aquasec.com%7C8a62227e268a4500f7de08d90a97252c%7Cbc034cf356> 6b41ca9f245dc49474b05e%7C0%7C0%7C637552466559824167%7CUnknown%7CTWFpbG> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%> 3D%7C3000&sdata=lUnjQo5CpTGEcdVpnmNtHUvT9Co76AGnBFZ0rNaXfgo%3D&> ;reserved=0, which shows both Alpine> 3.12 and 3.13 having fixes in their respective versions of Node.
Or they would if the CPE rules matched the actual package name... :)
But you can at least view the CPE rules for that one.
Ariadne
Hello,
On Thu, 29 Apr 2021, Nir Ben-Eliezer wrote:
> Hey,>> I checked https://secdb.alpinelinux.org/v3.13/main.json and https://secdb.alpinelinux.org/v3.13/community.json. As you said, this data should be the most reliable source. Note we are talking about Alpine 3.13.>> Here's what I found:> 1. "main.json" lists package "nodejs" and lists CVE-2020-8265 as fixed in version 14.15.4-r0. This CVE does not appear anywhere else in this json.> 2. "community.json" lists package "nodejs-current" and lists CVE-2020-8265 as fixed in version 15.5.1-r0.
The nodejs-current package tracks whatever the development branch of Node
was at the time. Stable branches of Node are even-numbered, while
development branches are odd-numbered.
So, the development branch (Node 15) fixed that CVE in 15.5.1-r0, which
also agrees with the CPE data.
> Do you know the reason for the difference?>> So... I'm a bit confused. At the beginning you said that the fact we find CVE-2020-8265 on an Alpine 3.13 image, running nodejs v12.20.1 - is a false positive. In your latest message, however, you mention that Alpine 3.13 does not credit v12.20.1 with the fix for CVE-2020-8265 because that version was never published in Alpine 3.13, only Alpine 3.12.>> And finally, when looking at the Alpine 3.13 branch in secdb, which is supposed to be reliable, I see information which indicates that the scanners are working correctly. This is what they all do:> 1. They identify the OS as Alpine 3.13 - correct. This is the OS the customer is running.> 2. They identify a nodejs v12.20.1 APK installed on the machine - correct. This is the package the customer installed.> 3. They identify it is vulnerable to CVE-2020-8265. Should be correct because Alpine doesn't credit v12.20.1 with the fix for this CVE, as you said before.> 4. They identify Alpine's recommendation to upgrade nodejs to 14.15.4-r0 in order to fix the problem. This is correct according to secdb.alpinelinux.org/v3.13/main.json>> I am failing to see what the scanners are doing incorrectly and why you consider this a false positive.
Based on this, I don't consider that a false positive.
Ariadne