Maria DB vulnerabilities

tejas · May 18, 2022, 11:03am

having lot of vulnerability related to mariaDB in latest liquibase docker image … can anyone plz suggest how to remove mariaDB from liquibase …

mariadb-10.5:1:10.5.15-0+deb11u1

MikeOlivas · May 18, 2022, 9:24pm

Hi @tejas . Can you provide the CVE numbers for the mariadb driver that is included in the the docker image that Liquibase provides so that we can assess which version of the driver we would need to update to in order to fix or mitigate the risk of that driver.
Second, in order to remove the mariadb driver from the docker image, you have 2 options that I can think of and they both involve creating your own docker image.
One would be to build your own docker image and include liquibase core with any/all the drivers that you would like using this file as a basis.

github.com

liquibase/docker/blob/main/Dockerfile

FROM openjdk:11-jre-slim-buster

# Install GNUPG for package vefification and WGET for file download
RUN apt-get update \
    && apt-get -yqq install krb5-user libpam-krb5 \
    && apt-get -y install gnupg wget unzip \
    && rm -rf /var/lib/apt/lists/*

# Add the liquibase user and step in the directory
RUN addgroup --gid 1001 liquibase
RUN adduser --disabled-password --uid 1001 --ingroup liquibase liquibase

# Make /liquibase directory and change owner to liquibase
RUN mkdir /liquibase && chown liquibase /liquibase
WORKDIR /liquibase

#Symbolic link will be broken until later
RUN ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh \
  && ln -s /liquibase/docker-entrypoint.sh /docker-entrypoint.sh \
  && ln -s /liquibase/liquibase /usr/local/bin/liquibase \

This file has been truncated. show original

The second would be to use lpm to remove the driver from the docker image that you build as well.
See this as an example where instead of running lpm add you would use
lpm remove mariadb

Very similar to the MYSQL example in the readme
Dockerfile:
FROM liquibase/liquibase
RUN lpm remove mariadb --global

This will use the latest docker image and create a new one where you run
docker build . -t liquibase/liquibase-nomariadbdriver

tejas · May 19, 2022, 6:04am

@MikeOlivas
Please find long list below

CVE-2022-1304 e2fsprogs:1.46.2-2
CVE-2021-33560 libgcrypt20:1.8.7-6
CVE-2022-27376 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27379 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27385 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27381 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27382 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27386 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27456 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27457 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27380 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27448 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27452 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27451 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2021-46669 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27383 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27449 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27445 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27455 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27458 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27378 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27446 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27387 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27444 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27377 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27384 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27447 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-29458 ncurses:6.2+20201114-2
CVE-2020-16156 perl:5.32.1-4+deb11u2
CVE-2021-45346 sqlite3:3.34.1-3
CVE-2022-0530 unzip:6.0-26
CVE-2022-0529 unzip:6.0-26
CVE-2021-31879 wget:1.21-1+deb11u1
CVE-2018-25032 zlib:1:1.2.11.dfsg-2

tejas · May 19, 2022, 2:13pm

used 2nd option as suggested by you

lpm remove mariadb --global
mariadb-java-client-3.0.4.jar successfully uninstalled from classpath. (got this msg in response)

But still getting multiple vulnerabilities related to mariadb
looks like it is tightly coupled in liquibase original code

I am only using mysql so want to get rid of mariadb which is showing lot of issues in vulnerability scan

MikeOlivas · May 20, 2022, 12:57pm

@tejas Thanks for the response. Not sure why you are still seeing vulnerabilities when the mariadb driver no longer exists in the image. What are you using to view the vulnerabilities or what software is showing that the liquibase container has vulnerabilities with MariaDB once the driver is removed.
The list provided also shows server side vulnerabilities. We only add the driver side to the docker image. There is no MariaDB server in the image.

tejas · May 20, 2022, 2:23pm

we are using AWS ECR scan

Topic		Replies	Views
Liquibase image 4.17.2 flagged by Aqua Security	2	234	December 9, 2022
CVE-2022-0778 vulnerability in liquibase	6	1720	April 22, 2022
Liquibase 4.23.1 docker image contains previous version of liquibase 4.23.0 Liquibase Development	1	301	September 5, 2023
Liquibase vulnerability scan General Discussion	3	926	July 2, 2020
SQL Server liquibase github integration General Discussion	2	721	December 18, 2020

Maria DB vulnerabilities

Related Topics