[vulnerability] - theiaide/theia:1.10.0

[romankurnovskii]

Artifact:                    IMAGE - docker.io/theiaide/theia:1.10.0
    RejectReason:       7c858639
      Type:            VULNERABILITY
      Name:            CVE-2018-18311
      CVSS Score v3:   9.8
      Severity:        critical
      Description:     Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension
    RejectReason:       5ca4e1e2
      Type:            VULNERABILITY
      Name:            CVE-2021-21353
      CVSS Score v3:   9
      Severity:        critical
      Description:     Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-pug/extension
    RejectReason:       d5772c2a
      Type:            VULNERABILITY
      Name:            CVE-2018-8780
      CVSS Score v3:   9.1
      Severity:        critical
      Description:     In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-ruby/extension
    RejectReason:       7b3d5645
      Type:            VULNERABILITY
      Name:            CVE-2019-19919
      CVSS Score v3:   9.8
      Severity:        critical
      Description:     Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-handlebars/extension
    RejectReason:       428e70a2
      Type:            VULNERABILITY
      Name:            CVE-2018-6913
      CVSS Score v3:   9.8
      Severity:        critical
      Description:     Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension
    RejectReason:       ae460504
      Type:            VULNERABILITY
      Name:            CVE-2018-18314
      CVSS Score v3:   9.8
      Severity:        critical
      Description:     Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension
    RejectReason:       58f6a8de
      Type:            VULNERABILITY
      Name:            CVE-2018-18313
      CVSS Score v3:   9.1
      Severity:        critical
      Description:     Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension
    RejectReason:       996000b1d
      Type:            VULNERABILITY
      Name:            CVE-2018-18312
      CVSS Score v3:   9.8
      Severity:        critical
      Description:     Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.. Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension
    RejectReason:       dcb25f2c
      Type:            VULNERABILITY
      Name:            CVE-2021-27135
      CVSS Score v3:   9.8
      Severity:        critical
      Description:     xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.. Impacted Image File(s): /home/theia/node_modules/xterm

[vince-fugnitto]

@romankurnovskii thank you for the issue, can you help us make sense of what was reported (it's unclear at the moment)?

The vulnerabilities you mentioned are vscode plugins which do not actually have the following dependencies:

• pug
• ruby
• perl
• handlebars

They are only JSON and TypeScript files which define grammars (syntax highlighting) for the languages.

[romankurnovskii]

@romankurnovskii thank you for the issue, can you help us make sense of what was reported (it's unclear at the moment)?

The vulnerabilities you mentioned are vscode plugins which do not actually have the following dependencies:

• pug
• ruby
• perl
• handlebars

They are only JSON and TypeScript files which define grammars (syntax highlighting) for the languages.

trying to investigate, i try to implement theia in my environment, i have to check for vulnerabilities
this report according snyk

[marcdumais-work]

I agree with @vince-fugnitto - it seems that the detection of vulnerability is a bit over-zealous, e.g. apparently assuming that because there's a folder with "perl" in the name, a vulnerable version of Perl is installed.

I think none of the reported vulnerability actually has the corresponding tools installed in the theia-ide/theia image. But I think we do bundle some of the tools in other images (e.g. I think we have Ruby in the full image). It remains to be seen if what we bundle is a vulnerable version.

TL;DR I think these are false-positives

[marcdumais-work]

For example, the Perl item:

Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension

That built-in Perl extension contains almost nothing, and certainly not Perl itself. It's built from these sources:

https://github.com/microsoft/vscode/tree/main/extensions/perl

[romankurnovskii]

guys, give advice please about these too (same image):

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1075738
  Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0
  From: openssl/[email protected]
  From: openssl/[email protected] > openssl/[email protected]
  From: apk-tools/[email protected] > openssl/[email protected]
  and 12 more...
  Image layer: '/bin/sh -c apk add --no-cache git openssh bash'
  Fixed in: 1.1.1j-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1089242
  Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0, openssh/[email protected]_p1-r0
  From: openssl/[email protected]
  From: openssl/[email protected] > openssl/[email protected]
  From: apk-tools/[email protected] > openssl/[email protected]
  and 12 more...
  Image layer: '/bin/sh -c apk add --no-cache git openssh bash'
  Fixed in: 1.1.1k-r0

✗ High severity vulnerability found in gcc/libstdc++
  Description: Insufficient Entropy
  Info: https://snyk.io/vuln/SNYK-ALPINE311-GCC-598616
  Introduced through: gcc/[email protected], gcc/[email protected]
  From: gcc/[email protected]
  From: gcc/[email protected] > gcc/[email protected]
  From: gcc/[email protected]
  Fixed in: 9.3.0-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1090152
  Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r2, busybox/[email protected]
  From: busybox/[email protected]
  From: alpine-baselayout/[email protected] > busybox/[email protected]
  From: bash/[email protected] > busybox/[email protected]
  and 2 more...
  Image layer: '/bin/sh -c apk add --no-cache git openssh bash'
  Fixed in: 1.31.1-r10

[marcdumais-work]

I think these are all related to alpine packaged software, installed directly or indirectly in the theia-docker Dockerfile.

The node version we target determines the version of alpine-based node image we start FROM.

That's the only "control" we have to play-with. The software installed from alpine packages, using apk, gives no control over the version that will be installed. E.g.:

RUN apk add --no-cache git openssh bash

So I think the only thing we could try is to step-up the node version to a later 12.x, that we can hope will come with an apk software repository that has updated software, patched for the above vulnerabilities. Failing that, we can hope this will be fixed when we eventually switch to node 14.x - but that needs to wait until Eclipse Theia does.

PRs welcome.

[marcdumais-work]

There is an alternative: we have example images in this repo that do not consume the node docker image, that's the ultimate source of the vulnerable alpine packaged software. I believe that ubuntu repositories actively patch vulnerable software, so that when we rebuild an image, we would get up-to-date, secure software. At least momentarily.

For example, this image could be used as inspiration, instead:
https://github.com/theia-ide/theia-apps/blob/master/theia-cpp-docker/Dockerfile

BTW, these images we have in this repo are only maintained as examples, probably not suited for production use.