Security Vulnerabilities in PostgreSQL Image: Request for Guidance

[SanduDS]

Issue Description

We are using the PostgreSQL image (17) based on Debian OS (Bookworm) with CloudNativePG in our Kubernetes cluster. While scanning the image for vulnerabilities, we identified several critical issues. We need guidance from the CNPG community to address these vulnerabilities in the image version used by CNPG.

Critical Vulnerabilities Identified

1. CVE-2023-45853:

   • Package: zlib1g
   • Description: Integer overflow in zipOpenNewFileInZip4_6 leads to a heap-based buffer overflow.
   • Severity: Critical
   • Status: will_not_fix

2. CVE-2023-24538:

   • Package: Go runtime (html/template)
   • Description: Backticks are not treated as string delimiters, which may allow code injection.
   • Severity: Critical
   • Status: Fixed in Go v1.18.2, v1.19.8, v1.20.3

3. CVE-2023-24540:

   • Package: Go runtime (html/template)
   • Description: Improper handling of JavaScript whitespace could allow XSS attacks.
   • Severity: Critical
   • Status: Fixed in Go v1.19.9, v1.20.4

4. CVE-2024-24790:

   • Package: Go runtime (net/netip)
   • Description: Unexpected behavior in Is methods for IPv4-mapped IPv6 addresses could bypass IP-based restrictions.
   • Severity: High
   • Status: Fixed in Go v1.21.11, v1.22.4

Impact on Cluster Security

While PostgreSQL itself is not directly impacted, associated vulnerabilities in the image pose a risk:

• Possible code injection or XSS attacks from Go-based utilities using vulnerable html/template.
• Improper IP-based access control due to net/netip issues.
• Heap-based buffer overflow risk from zlib, potentially allowing malicious data processing.

Request for Guidance

1. Are there updated PostgreSQL images compatible with CNPG that address these vulnerabilities?
2. If not, what is the recommended approach to mitigate these issues in the current image version?
3. Should we consider custom-building an image with patched dependencies? If so, are there any best practices for ensuring compatibility with CNPG?

Environment Details

• CNPG Version: 1.25.0
• PostgreSQL Image Version: 17.2-28-bookworm

We look forward to the community's insights and recommendations. Thank you!

[sathieu]

Possible way forward: use alpine (#78), but it currently has the same number of vulnerabilities:

ref

[gbartolini]

@SanduDS, we are transitioning away from the official Postgres image and are now in the process of approving a new build process that includes Software Bill of Materials (SBOMs) and signatures. Currently, the images are published in the "postgresql-testing" repository. Could you please evaluate them?

For example, you can check ghcr.io/cloudnative-pg/postgresql-testing:17.2-202501221134-minimal-bookworm.

Thank you!

[SanduDS]

@SanduDS, we are transitioning away from the official Postgres image and are now in the process of approving a new build process that includes Software Bill of Materials (SBOMs) and signatures. Currently, the images are published in the "postgresql-testing" repository. Could you please evaluate them?

For example, you can check ghcr.io/cloudnative-pg/postgresql-testing:17.2-202501221134-minimal-bookworm.

Thank you!

@gbartolini Are you confident enough to recommend images published under postgresql-testing to be used in production deployments?
Asking this, simply because all images are currently published under a repo name having -testing phrase.

[sxd]

Closing this, the new images are better and already in production. Please if there's any further issues, open a new issue

[cthtrifork]

@sxd
What has been improved? Are you referring to SBOM or has there been any updates on vulnerabilities?

[sxd]

@cthtrifork yes, but if you share a screenshot I can't tell you what was the CVE in question, and you should point thae CVE not a messages saying "vulnerabilities", also, keep in mind that we cannot fix CVEs in the OS.
On the other hand, please if you find something create a proper issue for this

[cthtrifork]

Ah the information of your referred changes is available here:
https://github.com/cloudnative-pg/postgres-containers?tab=readme-ov-file#standard-images

Looks good!