Home
Unchained
News Blog

Chainguard Images CVE patch report: Securing software supply chains

Jordi Mon Companys, Senior Product Marketing Manager

We’ve said it before and we stand by it now: speed is safety, slow kills. No matter how strange that statement may sound, it’s true. The number of vulnerabilities being reported across the board is only increasing, so the best defense is getting rid of all of them as fast as possible. This strategy will help make software more secure by default and even improve the developer experience. Chainguard Images are the result of a meticulously designed toolchain built from the ground up with software supply chain security at the center of it.

In March and April 2024, Chainguard Images have removed 150 CVEs from our customers and users’ environments. Many of them are in the high range of the CVSS severity score (Critical and High). These affect projects as popular as Kubernetes (CVE-2021-25743), Apache HTTP server (CVE-2023-24786), glibc and PHP (CVE-2024-2961).



In-depth CVE patch analysis

Having packages for the most popular open source projects (latest and older versions) allows Wolfi to be able to swap affected packages by non-affected packages quickly. This is complemented by the speed at which these changes propagate and package the dependent container images — Chainguard Images. On average, the whole process takes 26 hours in Wolfi. That’s one way Wolfi patches software, but other times Wolfi just picks the patched upstream version and applies it to every package and every dependent image immediately. Acting as a rolling distro exclusively focused on security.

During the last month, Chainguard remediated 125 vulnerabilities. At a pace of around 31 CVEs per week, it’s likely that our clients will only know about them when their weekly updated scanners report that Chainguard’s security feed has added a new CVE and that the image scanned is patched.

CVES PATCHED IN MAR / APR 2024



CVE-2012-5783

CVE-2021-25743

CVE-2023-1370

CVE-2019-10172

CVE-2022-31022

CVE-2023-2431

CVE-2019-10202

CVE-2022-46337

CVE-2023-2727

CVE-2019-10790

CVE-2023-0657

CVE-2023-2728

CVE-2023-28155

CVE-2024-2176

CVE-2024-28849

CVE-2023-33201

CVE-2024-22189

CVE-2024-28860

CVE-2023-3597

CVE-2024-22363

CVE-2024-28863

CVE-2023-3635

CVE-2024-22871

CVE-2024-28869

CVE-2023-3676

CVE-2024-23450

CVE-2024-29018

CVE-2023-38552

CVE-2024-23650

CVE-2024-29025

CVE-2023-42282

CVE-2024-23651

CVE-2024-29041

CVE-2023-42503

CVE-2024-23652

CVE-2024-29131

CVE-2023-45142

CVE-2024-23653

CVE-2024-29133

CVE-2023-45288

CVE-2024-23672

CVE-2024-2961

CVE-2023-45289

CVE-2024-2379

CVE-2024-29893

CVE-2023-45290

CVE-2024-23944

CVE-2024-29902

CVE-2023-46218

CVE-2024-2398

CVE-2024-29903

CVE-2023-46219

CVE-2024-2419

CVE-2024-3156

CVE-2023-47108

CVE-2024-2435

CVE-2024-3158

CVE-2023-48795

CVE-2024-24549

CVE-2024-3159

CVE-2023-52428

CVE-2024-24557

CVE-2024-3177

CVE-2023-5528

CVE-2024-2466

CVE-2024-31990

CVE-2023-6237

CVE-2024-24783

CVE-2024-32473

CVE-2023-6544

CVE-2024-24784

CVE-2024-3651

CVE-2023-6597

CVE-2024-24785

CVE-2024-3832

CVE-2023-6717

CVE-2024-24786

CVE-2024-3833

CVE-2023-6787

CVE-2024-2511

CVE-2024-3834

CVE-2024-0406

CVE-2024-25629

CVE-2024-3837

CVE-2024-0450

CVE-2024-25630

CVE-2024-3838

CVE-2024-1132

CVE-2024-25631

CVE-2024-3839

CVE-2024-1135

CVE-2024-25710

CVE-2024-3840

CVE-2024-1249

CVE-2024-26308

CVE-2024-3841

CVE-2024-2004

CVE-2024-2660

CVE-2024-3843

CVE-2024-20926

CVE-2024-2700

CVE-2024-3844

CVE-2024-21011

CVE-2024-27280

CVE-2024-3845

CVE-2024-21012

CVE-2024-27281

CVE-2024-3846

CVE-2024-21068

CVE-2024-27306

CVE-2024-3847

CVE-2024-21085

CVE-2024-27980

CVE-2024-3914

CVE-2024-21094

CVE-2024-28122

GHSA-7f4j-64p6-5h5v

CVE-2024-21626

CVE-2024-28182

GHSA-7ww5-4wqc-m92c

CVE-2024-2173

CVE-2024-28219

GHSA-wjxj-5m7g-mg7q

CVE-2024-2174

CVE-2024-28752


Spotlight on glibc’s vulnerability affecting PHP servers

There’s one particular vulnerability that stands out from the rest. CVE-2024-2961 or GHSA-22q4-f5r6-3xqw involves a buffer overflow vulnerability in the GNU C Library (glibc), affecting the `iconv()` function when converting strings to the ISO-2022-CN-EXT character set in versions 2.39 and older. This vulnerability can potentially crash applications or overwrite adjacent memory areas, leading to security risks.

Mitigation Strategies

  1. Regularly monitor for updates and patches to maintain the security of the software supply chain.

  2. Implement additional security measures, such as Runtime Application Self-Protection (RASP), or memory protection mechanisms to mitigate the impact of potential exploits.

  3. Apply the patched Chainguard Image provided by Chainguard with a secure version of glibc.

In this case, we leveraged the community. User Shyim pointed out soon after the vulnerability was reported that an upstream patch was available by opening a PR in the Wolfi project. The suggestion goes beyond the quickfix suggested by RockyLinux and fully removes this vulnerability from glibc.

In a nutshell, the patch ensures that the iconv()function properly handles the ISO-2022-CN-EXT character set conversion and prevents out-of-bounds writes, thus addressing the security vulnerability identified as CVE-2024-2961.



Since Chainguard needs to tell any service consuming our Security Advisory feed about this, the next logical step was to publish a security advisory about this CVE. It was immediately added to the glibc advisories yaml file to be propagated with the rest of the security feed.

- id: CVE-2024-2961
  aliases:
    - GHSA-22q4-f5r6-3xqw
  events:
    - timestamp: 2024-04-21T19:41:42Z
      type: fixed
      data:
        fixed-version: 2.39-r2

Wrapping up

Whether the Wolfi community keeps our automation on its heels or whether our own automation detects upstream patched software, Chainguard Images are patched in a matter of hours. Wolfi is designed to be the fastest rolling distro for secure software. To get started with Chainguard Images, reach out to our team to start streamlining your vulnerability management for open source software and start securing your supply chain today!

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started