Core22 comes with a CVE

KCao341470 · July 11, 2024, 11:11pm

Hi, I have an Ubuntu 22.04 container with snapcraft and core22 installed. My vulnerability scanner detects a critical CVE in the container due to core22. It finds CVE-2023-37920 in the core22 snap. Specifically in the path /snap/core22/current/usr/lib/python3/dist-packages/certifi-2020.6.20.egg-info/PKG-INFO.

The certifi version that comes with core22 is 2020.6.20. The snapcraft comes with certifi version 2023.11.17. However since snapcraft has a base of core22, this CVE will be there whenever snapcraft is installed.

Is there any mitigation steps I can take about this?

KhazAkar · July 12, 2024, 9:13am

Such things should be disclosed responsibly, not on forum.

ogra · July 12, 2024, 9:29am

Please see https://ubuntu.com/security/CVE-2023-37920 and the reasoning from the Ubuntu security team about it … in general it makes sense to first look up a CVE on the ubuntu CVE tracker to see if it is really relevant …

KCao341470 · July 12, 2024, 6:56pm

I see, can you point me to where I should post issues like this in the future?

Thank you for the link. So just to make sure I understand this properly, Ubuntu is patched to use system CA certs and therefore not using the certifi package. Is that correct? If this is the case, is it possible to remove certifi from core22 so it does not get flagged?

ogra · July 12, 2024, 7:54pm

I don’t think it can be removed from core22 since some things depend on it (i.e. console-conf), but with core24 python is gone from the base AFAIK and console-conf moved to a dedicated snap…

And yes, you understand correctly, in Ubuntu it uses ca-certs…

KCao341470 · July 16, 2024, 8:02pm

If removing this ceritifi package is not possible, do you know if it is possible to upgrade certifi in core22?

I tried upgrading the certifi package through pip but it is upgrading the version that comes with snapcraft not the one that comes with core22.

ogra · July 17, 2024, 7:45am

To what would you expect it to be upgraded to and what would you expect as a result? There is nothing vulnerable in it and any updated package would show the same result since it would still not use the vulnerable certs… Rather ask your scanner manufacturer to add an exception to reflect reality of Ubuntu and Debian packaged certifi…

KCao341470 · July 17, 2024, 4:05pm

In my opinion, the best solution for this would be to upgrade certifi as recommended. I know Ubuntu 24 (and by extension core24) has certifi version 2023.11.17. The version that comes with core22 is 2020.6.20. If this could be upgraded to a version greater than or equal to 2023.07.22 as stated on the CVE, it will resolve the CVE.

If this is not possible, then I can reach out to my scanner manufacturer to add an exception.

ogra · July 17, 2024, 6:11pm

again, there is no CVE since there is no dependency on the vulnerable bits that your scanner reports…

in general Ubuntu does not update to newer versions on stable releases (there are exceptions via the SRU process, but surely not a jump to a three year newer version (new versions have new bugs that we can not easily test for post release)), your scanner reports a wrong thing here so it should be fixed …