Cybersecurity: zlib flagged as "Critical severity vulnerability"

General
1

I applied a cyber security command line tool (snyk) to a pure

jodogne/orthanc-python:1.12.6 container image

The result was:

my-username@my-host:~$ snyk container test jodogne/orthanc-python:1.12.6
[...]

✗ Medium severity vulnerability found in libtasn1-6
  Description: Algorithmic Complexity
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBTASN16-8689970
  Introduced through: wget/wget@1.21.3-1+b2
  From: wget/wget@1.21.3-1+b2 > gnutls28/libgnutls30@3.7.9-2+deb12u3 > libtasn1-6@4.19.0-2
  Fixed in: 4.19.0-2+deb12u1

✗ Medium severity vulnerability found in gnutls28/libgnutls30
  Description: Algorithmic Complexity
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-GNUTLS28-8705121
  Introduced through: apt@2.6.1, wget/wget@1.21.3-1+b2
  From: apt@2.6.1 > gnutls28/libgnutls30@3.7.9-2+deb12u3
  From: wget/wget@1.21.3-1+b2 > gnutls28/libgnutls30@3.7.9-2+deb12u3
  Fixed in: 3.7.9-2+deb12u4

✗ Critical severity vulnerability found in zlib/zlib1g
  Description: Integer Overflow or Wraparound
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963
  Introduced through: python3.11/libpython3.11@3.11.2-6+deb12u5, util-linux@2.38.1-5+deb12u3, wget/wget@1.21.3-1+b2, apt@2.6.1, python3.11@3.11.2-6+deb12u5
  From: python3.11/libpython3.11@3.11.2-6+deb12u5 > zlib/zlib1g@1:1.2.13.dfsg-1
  From: util-linux@2.38.1-5+deb12u3 > zlib/zlib1g@1:1.2.13.dfsg-1
  From: wget/wget@1.21.3-1+b2 > zlib/zlib1g@1:1.2.13.dfsg-1
  and 4 more...
  Image layer: 'DEBIAN_FRONTEND=noninteractive apt-get -y install python3.11 libpython3.11'



Organization:      my-username
Package manager:   deb
Project name:      docker-image|jodogne/orthanc-python
Docker image:      jodogne/orthanc-python:1.12.6
Platform:          linux/amd64
Licenses:          enabled

Tested 117 dependencies for known issues, found 53 issues.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test jodogne/orthanc-python:1.12.6 --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

Is there any way to fix this?
Is zlib a core dependency?

a simple apt-upgrade of that package seems impossible

2

the vulnerability seems to exist in jodogne/orthanc:latest as well. Seems to be an issue of the underlying debian (see affected packages: util-linux, wget, apt) .

Unfortunately the “snyk website says, that there is no fix”

image
image1719×1237 352 KB

3

ok, this is becoming a monologue. Here some more updates:

debian admits to be affected by this

Ubuntu claims to be not affected at any point by this

Orthanc latest seems to be based on debian:bookworm:

root@ccb7fdb42224:~# cat /etc/os-release  
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

root@ccb7fdb42224:~# cat /etc/debian_version 
12.9

root@ccb7fdb42224:~# uname -a
Linux ccb7fdb42224 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 GNU/Linux

→ I guess that means, a workaround would be to install orthanc on a ubuntu base container…

4

A genuine question. Ok so there’s a vulnerability. But what’s this risk? How can this be exploited?

5

Hello,

I agree with James here.

You’ll often find that trying to go to a zero-CVE setup is usually not possible.

What you need to check is whether it’s actually exploitable in your solution.

According to the Snyk page for this CVE, the vulnerability can be exploited by calling the zipOpenNewFileInZip4_64 function.

You should therefore ask “Could someone use (or abuse) my system in a way that leads the zipOpenNewFileInZip4_64 function to be used, with some or all of its parameters being controlled by user-supplied data?”

In the software that you’re actually using (i.e. Orthanc and its plugins), you should check if this function is called.

In Orthanc, this function does not seem to be called at all. You should check in the actual version you’re using, and in the plugins.

If the only user-facing service in your solution is Orthanc, and if none of Orthanc or its dependencies use this function, you should register this CVE as having a zero exploitability (regardless of its severity).

HTH

2 Likes
6

Hello,

I can add that the version of Orthanc that is shipped within jodogne/orthanc-python:1.12.6 are LSB binaries that are statically linked against zlib 1.3.1 (reference), which is not affected by CVE-2023-45853. As a consequence, such a vulnerability in the base image will be not transferred to Orthanc.

Regards,
Sébastien-