In this month’s post, we dive into the critical role Chainguard’s CVE remediation team plays in timely patching in maintaining the security of Chainguard Images.
TL;DR
- Last month, Chainguard distributed patches for a total of 998 vulnerabilities
- We issued patches on upstream vulnerabilities for 756 Chainguard Images and 389 Wolfi Packages. All of which are now resolved.
- Chainguard distributes patched images on an average of 26 hours
- Chainguard distributes remediation for 32 vulnerabilities a day on average
Chainguard’s philosophy to CVEs:
The philosophy behind the way Chainguard approaches CVE handling focuses on ensuring accurate and quiet CVE scanner reports for our customers. We want to bring peace of mind to them so this process could well be called ZenPatch Flow or ZenSecure Patching 😂. Either way, it always involves detecting CVEs in packages and images, and choosing the best approach to prevent customers from being alerted by those CVEs in their scans.
In more practical terms, it involves a myriad of tactics and different approaches, ranging from updating packages to cherry-picking surgical fixes, with varying levels of difficulty and value to customers. False-positives are identified and marked, and CVEs are resolved whenever possible. The goal is to achieve Inbox Zero for customers by providing accurate CVE information and minimizing noisy scanner results.
Spotlight: CVE-2024-4603 affecting OpenSSL
Summary
This vulnerability affects applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() in OpenSSL to check DSA public keys or DSA parameters. It can lead to long delays and potentially cause Denial of Service (DoS) attacks when the key or parameters being checked are obtained from an untrusted source.
Context and impact
The issue lies in the fact that the key and parameter check functions in OpenSSL do not limit the modulus size when performing the checks. If an excessively large modulus is supplied, the computations can take a long time, leading to DoS vulnerabilities. This issue affects OpenSSL 3.0 and 3.1 FIPS providers, as well as applications that directly call these functions with untrusted DSA keys. The OpenSSL pkey and pkeyparam command line applications are also vulnerable when using the `-check` option.
Disclosure and response
CVE-2024-4603 was disclosed on May 16th by the OpenSSL Software Foundation. Chainguard's automated processes for distributing patched software quickly addressed the issue, reducing the window of vulnerability for our clients and minimizing the noise in their security scanners. This rapid response detailed below demonstrates Chainguard's commitment to being the fastest distributor of patched open source software.
Mitigation
By addressing this vulnerability in less than two hours, and efficiently propagating patched software throughout the Chainguard’s registry, Chainguard reinforces its dedication to maintaining the security and integrity of our customers’ supply chains.
Conclusion
This month's patch report underscores the crucial role of staying informed about new CVEs and applying patches promptly to safeguard software supply chains. These 998 vulnerabilities affecting 756 Chainguard Images and 389 Wolfi Packages, give a sense of the scale of the problem we are solving for our clients. With the automation and manual checks we’ve built in the Chainguard Image’s underlying toolchain, Chainguard takes a significant step towards enhancing our client’s security posture. Contact us if you want to learn how Chainguard Images can help reduce your CVE counts.
