Resolve security vulnerabilities in Docker containers of Prefect server about server HOT 8 CLOSED

Thanks for submitting the issue @niakki

For mostly internal purposes, we have a few courses of action here.

Apollo

Based on the official node-slim image. Recently upgraded in #153. This appears to be using debain-stretch We could

• Upgrade major versions and see if it breaks anything (14.x.x-> 15.x.x)
• Upgrade minor version and see if it fixes security concerns (14.15.x -> 14.16.x)
• Upgrade to debian-buster (#198)
• Install node manually in a base image of our choice ie Ubuntu

Server

Based on the official python-3.7-slim image. This appears to be using debain-buster already

Consider

• Using slim-buster to designate a newer debian version, not sure what version of debian is running now already using buster
• Using alpine instead of debain we need glibc
• Install python manually in a base image of our choice ie Ubuntu

from server.

Following #198 the Apollo/Server images are on the latest stable version of Debian. We've audited the critical/high CVEs for this version and they do not apply to our use. This version of Debian is widely used and I don't think we'll deviate from it at this time to satisfy external security policies.

@niakki -- You can create custom images that are based on Ubuntu instead if you need to do so to satisfy your requirements. It seems likely that you could just change the base image then install python / node as needed.

from server.

Following #198 the Apollo/Server images are on the latest stable version of Debian. We've audited the critical/high CVEs for this version and they do not apply to our use. This version of Debian is widely used and I don't think we'll deviate from it at this time to satisfy external security policies.

@niakki -- You can create custom images that are based on Ubuntu instead if you need to do so to satisfy your requirements. It seems likely that you could just change the base image then install python / node as needed.

thank you @madkinsz I'll try that.

from server.

Hi, we are in a similar scenario as @niakki and have found CVE (CVE-2019-18276) vulnerabilities on Debian Buster. If you could update to Debian Bullseye as base for Server/Apollo it would be great since these vulnerabilities are resolved there.

from server.

Hi @noemtz -- can you clarify how that CVE is relevant? From the disclosure:

However, binaries running with an effective UID of 0 are unaffected.

There's only a root user in these containers so this CVE does not affect you.

❯ docker run -it prefecthq/server bash      
root@80cd93bc5486:/prefect-server# echo $UID
0
root@80cd93bc5486:/prefect-server# echo $EUID
0

from server.

Hi @madkinsz,

It is relevant for us because Azure highlights this vulnerability on it and we are very strict with respect to security, as per Azure Security Policy ("Running containers as root user should be avoided") we need to deploy the container without with a different user than root (for this we need to create an image with this container as base) and also because as per Microsoft Defender for Cloud scanner this image has a high risk vulnerability. Thoughts?

from server.

We will likely update the Debian base image soon, if you open a PR I will review it. Generally I'd recommend building an image that fits your needs directly if you have strict security requirements. This is an open source project and it's difficult for us to assess and address security cases that are beyond our intended uses. Automated scans do not always capture realistic scenarios.

from server.

I totally understand, I can help with the PR. Thanks for the prompt response.

from server.