We’ve said it before and we stand by it now: speed is safety, slow kills. No matter how strange that statement may sound, it’s true. The number of vulnerabilities being reported across the board is only increasing, so the best defense is getting rid of all of them as fast as possible. This strategy will help make software more secure by default and even improve the developer experience. Chainguard Images are the result of a meticulously designed toolchain built from the ground up with software supply chain security at the center of it.
In March and April 2024, Chainguard Images have removed 150 CVEs from our customers and users’ environments. Many of them are in the high range of the CVSS severity score (Critical and High). These affect projects as popular as Kubernetes (CVE-2021-25743), Apache HTTP server (CVE-2023-24786), glibc and PHP (CVE-2024-2961).
In-depth CVE patch analysis
Having packages for the most popular open source projects (latest and older versions) allows Wolfi to be able to swap affected packages by non-affected packages quickly. This is complemented by the speed at which these changes propagate and package the dependent container images — Chainguard Images. On average, the whole process takes 26 hours in Wolfi. That’s one way Wolfi patches software, but other times Wolfi just picks the patched upstream version and applies it to every package and every dependent image immediately. Acting as a rolling distro exclusively focused on security.
During the last month, Chainguard remediated 125 vulnerabilities. At a pace of around 31 CVEs per week, it’s likely that our clients will only know about them when their weekly updated scanners report that Chainguard’s security feed has added a new CVE and that the image scanned is patched.
Spotlight on glibc’s vulnerability affecting PHP servers
There’s one particular vulnerability that stands out from the rest. CVE-2024-2961 or GHSA-22q4-f5r6-3xqw involves a buffer overflow vulnerability in the GNU C Library (glibc), affecting the `iconv()` function when converting strings to the ISO-2022-CN-EXT character set in versions 2.39 and older. This vulnerability can potentially crash applications or overwrite adjacent memory areas, leading to security risks.
Mitigation Strategies
- Regularly monitor for updates and patches to maintain the security of the software supply chain.
- Implement additional security measures, such as Runtime Application Self-Protection (RASP), or memory protection mechanisms to mitigate the impact of potential exploits.
- Apply the patched Chainguard Image provided by Chainguard with a secure version of glibc.
In this case, we leveraged the community. User Shyim pointed out soon after the vulnerability was reported that an upstream patch was available by opening a PR in the Wolfi project. The suggestion goes beyond the quickfix suggested by RockyLinux and fully removes this vulnerability from glibc.
Since Chainguard needs to tell any service consuming our Security Advisory feed about this, the next logical step was to publish a security advisory about this CVE. It was immediately added to the glibc advisories yaml file to be propagated with the rest of the security feed.
Wrapping up
Whether the Wolfi community keeps our automation on its heels or whether our own automation detects upstream patched software, Chainguard Images are patched in a matter of hours. Wolfi is designed to be the fastest rolling distro for secure software. To get started with Chainguard Images, reach out to our team to start streamlining your vulnerability management for open source software and start securing your supply chain today!
