How Prisma Cloud Compute Scans Images for Vulnerabilities when Installing vs Upgrading Affected Packages?
Question
- How Prisma Cloud Compute Scans Images for Vulnerabilities when Installing vs Upgrading Affected Packages?
Environment
- Prisma Cloud Compute
Answer
- The Prisma Cloud Compute vulnerability scanner scans images with running containers by default.
- To scan all the images on the host, toggle the switch to turn off "Only scan images with running containers" by Navigating to Monitor > Scan > Running Image > Scan > Running Images. (This option does NOT apply to registry scanning; all images targeted by your registry scanning rule will be scanned regardless of how Only scan images with running containers is set. Refer Additional scan settings )
- The vulnerability scanner will identify any vulnerabilities associated with any package located on the host.
- Installing a specific fixed package does not install/upgrade the source package used to build the package. The source packages provide all the necessary files to compile or create the desired software.
- Though the latest/vulnerability fixed package is installed, it might have the older vulnerable version leftover and the vulnerability scanner reports it.
- However, upgrading the package will upgrade the actual package and its associated libraries, including the source package. So, there is less chance of older version files/binaries leftover and might not be vulnerable
Example: Install
- Installing OpenSSL fixed version 1.1.1k-1+deb11u1 still shows the image vulnerable as the package info has the libssl source package with the older vulnerable version 1.1.1k-1.
- Installing OpenSSL package does not install/upgrade the source package used to build libssl1.1 package - it installs a “binary” package called openssl
root@138cc85d276c:/# apt-get install openssl Reading package lists... Done Building dependency tree... Done Reading state information... Done Suggested packages: ca-certificates The following NEW packages will be installed: openssl 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 851 kB of archives. After this operation, 1500 kB of additional disk space will be used. Get:1 http://security.debian.org/debian-security stable-security/main amd64 openssl amd64 1.1.1k-1+deb11u1 [851 kB] Fetched 851 kB in 0s (7950 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package openssl. (Reading database ... 6653 files and directories currently installed.) Preparing to unpack .../openssl_1.1.1k-1+deb11u1_amd64.deb ... Unpacking openssl (1.1.1k-1+deb11u1) ... Setting up openssl (1.1.1k-1+deb11u1) ...
- Upgrading the specific package will upgrade the installed and source package.
Example: Upgrade
- Upgrading the OpenSSL will upgrade the OpenSSL and the associated libraries. This fixes all the vulnerabilities.
root@df8442a38414:/# apt upgrade openssl Reading package lists... Done Building dependency tree... Done Reading state information... Done openssl is already the newest version (1.1.1k-1+deb11u1). Calculating upgrade... Done The following packages will be upgraded: libssl1.1 tzdata 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@df8442a38414:/# apt list --installed | grep ssl WARNING: apt does not have a stable CLI interface. Use with caution in scripts. libssl1.1/stable-security,now 1.1.1k-1+deb11u1 amd64 [installed,automatic] openssl/stable-security,now 1.1.1k-1+deb11u1amd64 [installed]
Conclusion:
- Installing the package does not install/upgrade the source package. There are chances Source package still be with the vulnerable versions.
- Upgrading upgrades the basic package and its associated packages. So, this fixes the vulnerability.
Additional Information
Case Study:
- Below are two specific vulnerabilities reported by Prisma Cloud Compute Vulnerability scanner for OpenSSL 1.1.1k-1 version running on Debian Operating System (version stable-20210816 is used to simulate the issue):
CVE - 2021 - 3712
Note: The CVE in the following documents refers to these 2 CVE's
- OpenSSL version 1.1.1k-1deb11u-1 has these CVE's fixed.
- Installed the fixed OpenSSL version 1.1.1k-1deb11u-1. But Prisma still reported these CVE's.
- However, upgrading the OpenSSL to version 1.1.1k-1deb11u-1 doesn't report these CVE's.
Explanation:
- By default, the Debian OS (version stable-20210816) comes with the Source package "libssl1.1" version 1.1.1.k-1 related to OpenSSL.
- Installing the OpenSSL package does not install/upgrade the source package libssl1.1. The Source package libssl1.1 is still with the vulnerable version 1.1.1.k-1.
- Upgrading upgrades the OpenSSL and its associated libssl to fixed version 1.1.1k-1deb11u-1. So, this fixes related vulnerabilities in the image.
- Let's go through 3 different scenarios to understand the difference between installing and upgrading the package in detail.
Scenario 2: Installed OpenSSL fixed version - Image is Vulnerable
Scenario 3: Upgrading the OpenSSL - Image is Not Vulnerable
Scenario 1: Debian OS with default packages - Image is Vulnerable
- Debian with the default source package libssl1.1 version 1.1.1k-1.
- The OpenSSL is not installed.
- The image is reported vulnerable with CVE's for the libssl1.1
- The Dockerfile is:
FROM debian:stable-20210816
RUN apt-get update -y
- The image with libssl1.1 version 1.1.1k-1 is vulnerable to the CVE's.
Fig 1.1: Scan Status failed (as per the configured rule) as image layer has critical & high CVE's
Fig 1.2: Critical and High CVE's reported
Fig 1.3: Package info with the vulnerable libssl version
Scenario 2: Installed OpenSSL fixed version - Image is Vulnerable
- The Debian OS with the default Source package libssl1.1 version 1.1.1k-1
- Installed the OpenSSL 1.1.1k-1deb11u-1 version expecting it to fix the vulnerabilities. But Prisma reports the image as vulnerable to CVE's.
- The Dockerfile is:
FROM debian:stable-20210816
RUN apt-get update -y
RUN apt-get install openssl
- The above docker file installs the fixed OpenSSL version 1.1.1k-1deb11u-1.
Fig 2.1: Package info shows both OpenSSL and the libssl versions
- Scan reports have a Package info tab, which lists all the packages installed in an image or host. It also shows all active packages, which are packages used by running software. Please refer to Scan Reports.
- Package info confirms the installed fixed OpenSSL version. However, it also shows the Source Package libssl1.1. with the older vulnerable version.
- So, Prisma reports the image as vulnerable to CVE's.
- Installing OpenSSL package does not install/upgrade the source package used to build libssl1.1 package - it installs a "binary" package also called OpenSSL
- See: Debian -- Details of package openssl in bullseye
- When doing apt install OpenSSL (or the dpkg equivalent), there are 2 different binary packages.
root@df8442a38414:/# apt list --installed | grep ssl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libssl1.1/stable,now 1.1.1k-1 amd64 [installed,upgradable to: 1.1.1k-1+deb11u1]
openssl/stable-security,now 1.1.1k-1+deb11u1 amd64 [installed]
-
Prisma reports vulnerabilities for Debian per source package, and indeed there is a source package, OpenSSL 1.1.1k-1 which is the source of this libssl1.1 and it is vulnerable.
Scenario 3: Upgrading the OpenSSL - Image is Not Vulnerable
- The Debian OS with the default Source package libssl1.1 version 1.1.1k-1
- Upgrade the OpenSSL. It upgrades the complete package, including the related packages.
- The Docker file is:
FROM debian:stable-20210816
RUN apt-get update -y
RUN apt-get upgrade openssl -y
-
Both OpenSSL and libssl1.1 are upgraded to the fixed version 1.1.1k-1+deb11u1
Fig 3.1: Scan Status is passed. The layer shows the upgrade as per commands from the docker file.
Fig 3.2: The package info confirming both libssl and openssl upgraded to the latest version.
-
When upgrading, apt upgrades the source package. Hence it upgrades the binary package libssl1.1:
root@df8442a38414:/# apt upgrade openssl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
openssl is already the newest version (1.1.1k-1+deb11u1).
Calculating upgrade... Done
The following packages will be upgraded:
libssl1.1 tzdata
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@df8442a38414:/# apt list --installed | grep ssl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libssl1.1/stable-security,now 1.1.1k-1+deb11u1 amd64 [installed,automatic]
openssl/stable-security,now 1.1.1k-1+deb11u1 amd64 [installed]
-
The image is not vulnerable to the CVE's
Conclusion:
- Installing the package does not install/upgrade the source package.
- There are chances the Source package still be with the vulnerable versions.
- Upgrading upgrades the binary package and its associated packages. So, this fixes the vulnerability.