Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Developer
Resources
Company
Contact
Back
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Back
About
Newsroom
Careers
Chainguard love
Back
About
Newsroom
Careers
Product

The haunting of CVE-2023-2454: A developer's nightmare

John Speed Meyers, Principal Research Scientist
October 3, 2023
copied

Disclaimer: The CVEs in these stories are real, but the names of people involved are fictional for privacy and storytelling purposes. 

In this post, we’ll hear a ghost story that could strike fear into the hearts of any developer. This story describes a false negative: a case where a scanner didn’t report a vulnerability that an image actually contained.

Although the scanner correctly finds the affected package, the metadata from the vulnerability database is insufficient to report that the image is affected by CVE-2023-2454! Fortunately, there’s a happy ending: Chainguard Images often contain fixes for even vulnerabilities that a scanner misses.

The story

In the world of software development, there exists a chilling tale of a vulnerability that eluded the watchful eyes of the most diligent scanners. Gather 'round, dear readers, as we unveil the eerie ghost story of CVE-2023-2454—a vulnerability matching a false negative that haunts the depths of container security.

The story begins with a developer named Alex, a master of the digital realm, who embarked on a journey to create the perfect software image using the mystical PostgreSQL. With the command of a sorcerer, they summoned the postgres:15.2 image, confident that it would be an impervious fortress of code.

As the spectral night descended, Alex sought to ensure the safety of their creation by enlisting the aid of a trusted guardian—Trivy, the vulnerability scanner. With a flick of the command-line wand, Trivy was set in motion to list all the packages within the postgres:15.2 image, and there, in the depths of the digital cauldron, the PostgreSQL packages revealed themselves:

The scanner had done its duty, or so it seemed. But there was an unsettling aura in the air—a vulnerability, a phantom known as CVE-2023-2454, silently lurking within the PostgreSQL image.

With trembling hands, Alex commanded Trivy to unearth the vulnerabilities, to cast light upon the shadows. And as the results flowed in, they beheld a spooky revelation:

-- CODE language-bash -- CVE-2023-0464 CVE-2023-0465 CVE-2023-0466

But, alas! There was no trace of CVE-2023-2454, the ghostly vulnerability that held the image in its grip. It was as if the darkness had swallowed this sinister secret, leaving Alex to ponder the chilling reality of a vulnerability matching a false negative.

The image was consumed by the phantom vulnerability, and yet the scanner's eyes remained silent to its presence.

But fear not, dear developers, for with Chainguard Images, a glimmer of hope emerges from the depths of the crypt.

With Chainguard's approach, Images were kept eternally up-to-date, powered by the magic of automation. The PostgreSQL image, bearing the name cgr.dev/chainguard/postgres:latest, was summoned into existence. And there, in the package listings, Alex witnessed a miracle:

The vulnerability, CVE-2023-2454, was vanquished. With Chainguard's enchantment, even the most elusive of vulnerabilities were eradicated from the digital underworld.

So, dear developers, as you embark on your own journey, remember the harrowing tale of CVE-2023-2454. Be vigilant, for vulnerabilities may hide in the darkest corners, and false negatives may seek to deceive. Seek out the magic of fast, automatic vulnerability updates in Chainguard Images, for it may hold the key to banishing the spectral threats that haunt your code. Happy Halloween! 

Related articles
Product
Announcing early access to Chainguard’s CUDA Optimized Images
April 25, 2024
Product
New Chainguard Images in March 2024: Your safe source for open source
April 4, 2024
Product
Chainguard patches 3 “silent” Golang CVEs in under 24 hours
March 21, 2024

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.

Get started
Products

Chainguard Images

Solutions

Container Image Security

Vulnerability Remediation

Open Source Software Security

Compliance & Risk Mitigation

Software Supply Chain Security

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Chainguard love

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact
Contact