[bitnami/mariadb-galera] CVE-2024-25062 Security Vulnerability found in libxml2 library

[jpelletier412]

Name and Version

bitnami/mariadb-galera:11.5.2-debian-12-r2

What architecture are you using?

amd64

What steps will reproduce the bug?

Running a security scan will show CVE-2024-25062 in debian/libxml2:2.9.14+dfsg-1.3~deb12u1

What is the expected behavior?

High CVEs are not present in software

What do you see instead?

debian/libxml2:2.9.14+dfsg-1.3~deb12u1 has CVE-2024-25062 vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2024-25062#range-13018875.
The issue seems to be in their v2.12.x versions and earlier. I reviewed the library packages in the latest mariadb-galera image (which at time of this ticket is 11.5.2-debian-12-r3) and I still see debian/libxml2:2.9.14+dfsg-1.3~deb12u1being used. Request that this library be upgraded to at least 2.13.4 as this looks like the first version that no longer has this vulnerability. All prior versions seem to have the CVE.

Additional information

No response

[javsalgar]

Hi,

You can check the status in the upstream debian CVE tracker https://security-tracker.debian.org/tracker/CVE-2024-25062

It seems that they marked the issue as minor. As soon as they release a fixed version we will update the images.

[jpelletier412]

@javsalgar Yeah it doesnt look like there isnt any movement on that issue/ticket. It seems the vulnerability only affected v2.12 and earlier. Is there an incompatibility to upgrade to a v2.13? Then again, this CVE seems like its only an issue when a specific interface is used and certain settings are applied. Do you think this CVE could even be possible in mariadb-galera?

[javsalgar]

Hi!

It doesn't look it like but I believe it should be the upstream MariaDB devs the ones to confirm it.

[jpelletier412]

@javsalgar Ok. How do we get a dev involved? Is there a separate channel that we should move this ticket to or do we mention those individuals here?

[carrodher]

I understand your concern about security vulnerabilities. We regularly update our images with the latest system packages; however, certain CVEs may persist until they are patched in the OS or application which seems to be the case. For that, we recommend you open a ticket in the upstream support channel.
Additionally, some CVEs remain unfixed due to the absence of available patches. In vulnerability scanners like Trivy, you can use the --ignore-unfixed flag to ignore such CVEs. You can learn more about our CVE policy here.

$ trivy image bitnami/mariadb-galera:11.5.2-debian-12-r5 --scanners vuln --ignore-unfixed
2024-10-30T19:16:58+01:00	INFO	[vulndb] Need to update DB
2024-10-30T19:16:58+01:00	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T19:16:58+01:00	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
54.88 MiB / 54.88 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10.17 MiB p/s 5.6s
2024-10-30T19:17:07+01:00	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-30T19:17:07+01:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T19:17:24+01:00	INFO	Detected OS	family="debian" version="12.7"
2024-10-30T19:17:24+01:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=132
2024-10-30T19:17:24+01:00	INFO	Number of language-specific files	num=4
2024-10-30T19:17:24+01:00	INFO	[bitnami] Detecting vulnerabilities...
2024-10-30T19:17:24+01:00	INFO	[gobinary] Detecting vulnerabilities...
2024-10-30T19:17:24+01:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

bitnami/mariadb-galera:11.5.2-debian-12-r5 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[jpelletier412]

@carrodher Hello. Can you point me to which "upstream support channel" I should open my ticket with?

[javsalgar]

https://security-tracker.debian.org/tracker/

[jpelletier412]

@javsalgar I reached out to Debian and here is response https://gitlab.gnome.org/GNOME/libxml2/-/issues/604#note_2269814

The issue was fixed in 2.11.7 and 2.12.5. The 2.13 branch isn't affected. Older releases didn't receive updates. I can't comment on third-party security scans.

So they will not be fixing the 2.9 branch at all and only way to fix is to upgrade to either >=2.11.7, >=2.12.5, or 2.13.x. Is this something now that can be considered?

[carrodher]

As I commented in my previous comment, the Bitnami open-source catalog is based on Debian 12 and we are using the version of system packages included in that distro. Regarding libxml2, the version of Debian 12 (bookworm) is 2.9.14, see https://packages.debian.org/bookworm/libxml2.

If the Debian 12 package repository is updated to include a different version of libxml2, it will be automatically updated in the Bitnami MariaDB Galera container. Additionally, as part of VMware, Bitnami offers a custom container and Helm Charts catalog based on various base images, such as Debian 11 & 12, PhotonOS 5, Ubuntu 22.04 & 24.04, RedHat UBI 8 & 9, and custom golden images. You can explore these options through the VMware Tanzu Application Catalog. Other distros can be using a different version of libxml2.

[jpelletier412]

@carrodher Thank you for your additional explanation. This makes sense now and I appologize for my misunderstanding on how everything is packaged here. I thought mariadb had a direct dependency on the libxml2 library but it is in fact being picked up by the Debian 12 base image. I will close this issue out as this will need to be handled with the upstream Debian package(s). Thanks