Chainguard Images CVE patch report: Securing software supply chains

Jordi Mon Companys, Senior Product Marketing Manager
May 1, 2024

We’ve said it before and we stand by it now: speed is safety, slow kills. No matter how strange that statement may sound, it’s true. The number of vulnerabilities being reported across the board is only increasing, so the best defense is getting rid of all of them as fast as possible. This strategy will help make software more secure by default and even improve the developer experience. Chainguard Images are the result of a meticulously designed toolchain built from the ground up with software supply chain security at the center of it.

In March and April 2024, Chainguard Images have removed 150 CVEs from our customers and users’ environments. Many of them are in the high range of the CVSS severity score (Critical and High). These affect projects as popular as Kubernetes (CVE-2021-25743), Apache HTTP server (CVE-2023-24786), glibc and PHP (CVE-2024-2961).

GIF showing navigation to php advisories and CVE alert.

In-depth CVE patch analysis

Having packages for the most popular open source projects (latest and older versions) allows Wolfi to be able to swap affected packages by non-affected packages quickly. This is complemented by the speed at which these changes propagate and package the dependent container images — Chainguard Images. On average, the whole process takes 26 hours in Wolfi. That’s one way Wolfi patches software, but other times Wolfi just picks the patched upstream version and applies it to every package and every dependent image immediately. Acting as a rolling distro exclusively focused on security.

During the last month, Chainguard remediated 125 vulnerabilities. At a pace of around 31 CVEs per week, it’s likely that our clients will only know about them when their weekly updated scanners report that Chainguard’s security feed has added a new CVE and that the image scanned is patched.

CVEs patched in Mar / Apr 2024
CVE-2012-5783 CVE-2021-25743 CVE-2023-1370
CVE-2019-10172 CVE-2022-31022 CVE-2023-2431
CVE-2019-10202 CVE-2022-46337 CVE-2023-2727
CVE-2019-10790 CVE-2023-0657 CVE-2023-2728
CVE-2023-28155 CVE-2024-2176 CVE-2024-28849
CVE-2023-33201 CVE-2024-22189 CVE-2024-28860
CVE-2023-3597 CVE-2024-22363 CVE-2024-28863
CVE-2023-3635 CVE-2024-22871 CVE-2024-28869
CVE-2023-3676 CVE-2024-23450 CVE-2024-29018
CVE-2023-38552 CVE-2024-23650 CVE-2024-29025
CVE-2023-42282 CVE-2024-23651 CVE-2024-29041
CVE-2023-42503 CVE-2024-23652 CVE-2024-29131
CVE-2023-45142 CVE-2024-23653 CVE-2024-29133
CVE-2023-45288 CVE-2024-23672 CVE-2024-2961
CVE-2023-45289 CVE-2024-2379 CVE-2024-29893
CVE-2023-45290 CVE-2024-23944 CVE-2024-29902
CVE-2023-46218 CVE-2024-2398 CVE-2024-29903
CVE-2023-46219 CVE-2024-2419 CVE-2024-3156
CVE-2023-47108 CVE-2024-2435 CVE-2024-3158
CVE-2023-48795 CVE-2024-24549 CVE-2024-3159
CVE-2023-52428 CVE-2024-24557 CVE-2024-3177
CVE-2023-5528 CVE-2024-2466 CVE-2024-31990
CVE-2023-6237 CVE-2024-24783 CVE-2024-32473
CVE-2023-6544 CVE-2024-24784 CVE-2024-3651
CVE-2023-6597 CVE-2024-24785 CVE-2024-3832
CVE-2023-6717 CVE-2024-24786 CVE-2024-3833
CVE-2023-6787 CVE-2024-2511 CVE-2024-3834
CVE-2024-0406 CVE-2024-25629 CVE-2024-3837
CVE-2024-0450 CVE-2024-25630 CVE-2024-3838
CVE-2024-1132 CVE-2024-25631 CVE-2024-3839
CVE-2024-1135 CVE-2024-25710 CVE-2024-3840
CVE-2024-1249 CVE-2024-26308 CVE-2024-3841
CVE-2024-2004 CVE-2024-2660 CVE-2024-3843
CVE-2024-20926 CVE-2024-2700 CVE-2024-3844
CVE-2024-21011 CVE-2024-27280 CVE-2024-3845
CVE-2024-21012 CVE-2024-27281 CVE-2024-3846
CVE-2024-21068 CVE-2024-27306 CVE-2024-3847
CVE-2024-21085 CVE-2024-27980 CVE-2024-3914
CVE-2024-21094 CVE-2024-28122 GHSA-7f4j-64p6-5h5v
CVE-2024-21626 CVE-2024-28182 GHSA-7ww5-4wqc-m92c
CVE-2024-2173 CVE-2024-28219 GHSA-wjxj-5m7g-mg7q
CVE-2024-2174 CVE-2024-28752

Spotlight on glibc’s vulnerability affecting PHP servers

There’s one particular vulnerability that stands out from the rest. CVE-2024-2961 or GHSA-22q4-f5r6-3xqw involves a buffer overflow vulnerability in the GNU C Library (glibc), affecting the `iconv()` function when converting strings to the ISO-2022-CN-EXT character set in versions 2.39 and older. This vulnerability can potentially crash applications or overwrite adjacent memory areas, leading to security risks.

Mitigation Strategies

  1. Regularly monitor for updates and patches to maintain the security of the software supply chain.
  2. Implement additional security measures, such as Runtime Application Self-Protection (RASP), or memory protection mechanisms to mitigate the impact of potential exploits.
  3. Apply the patched Chainguard Image provided by Chainguard with a secure version of glibc.

In this case, we leveraged the community. User Shyim pointed out soon after the vulnerability was reported that an upstream patch was available by opening a PR in the Wolfi project. The suggestion goes beyond the quickfix suggested by RockyLinux and fully removes this vulnerability from glibc. 

In a nutshell, the patch ensures that the iconv() function properly handles the ISO-2022-CN-EXT character set conversion and prevents out-of-bounds writes, thus addressing the security vulnerability identified as CVE-2024-2961.

GitHub message by Dan Lorenc regarding latest glibc vulnerability affecting PHP servers. Text reads: Thanks! We'll also need to file an advisory PR for this.

Since Chainguard needs to tell any service consuming our Security Advisory feed about this, the next logical step was to publish a security advisory about this CVE. It was immediately added to the glibc advisories yaml file to be propagated with the rest of the security feed.

-- CODE language-bash -- - id: CVE-2024-2961 aliases: - GHSA-22q4-f5r6-3xqw events: - timestamp: 2024-04-21T19:41:42Z type: fixed data: fixed-version: 2.39-r2

Wrapping up

Whether the Wolfi community keeps our automation on its heels or whether our own automation detects upstream patched software, Chainguard Images are patched in a matter of hours. Wolfi is designed to be the fastest rolling distro for secure software. To get started with Chainguard Images, reach out to our team to start streamlining your vulnerability management for open source software and start securing your supply chain today!

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.