Update Container Versions for the Release Docker config.env about timesketch HOT 3 OPEN

Note: I have quickly tested a setup with nginx:1.25.5-alpine-slim and did not run into any issues with booting up the system and some basic activity. Needs some additional testing, but can probably moved to this version with the next release.

from timesketch.

Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up?

Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage.

from timesketch.

Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up?

No not that I am aware of. Took a look at the NGINX website and according to them the following items could be problems: They honestly don't sound like large enough problems to force an emergency update.

Memory corruption in the ngx_http_mp4_module
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html)
[CVE-2022-41741](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741)
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
[The patch](https://nginx.org/download/patch.2022.mp4.txt)  [pgp](https://nginx.org/download/patch.2022.mp4.txt.asc)

Memory disclosure in the ngx_http_mp4_module
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html)
[CVE-2022-41742](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41742)
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
[The patch](https://nginx.org/download/patch.2022.mp4.txt)  [pgp](https://nginx.org/download/patch.2022.mp4.txt.asc)

1-byte memory overwrite in resolver
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html)
[CVE-2021-23017](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017)
Not vulnerable: 1.21.0+, 1.20.1+
Vulnerable: 0.6.18-1.20.0
[The patch](https://nginx.org/download/patch.2021.resolver.txt)  [pgp](https://nginx.org/download/patch.2021.resolver.txt.asc)

From a first glance at Dockerhub (this is not financial legal security advice, bla bla bla), it appears most warnings stem from Layer 6 of the Dockerfile. Some of the underlying commands used may be vulnerable, but I doubt that should lead to any problems for us.

What is more interesting to look at is the underlying Alpine base image. OpenSSL has 4 CVEs, of which only one sounded somewhat relevant to me. Apparently an infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters, so it might be possible to DoS Nginx in certain circumstances, assuming it is using the OS OpenSSL library.
https://scout.docker.com/vulnerabilities/id/CVE-2022-0778?s=alpine&n=openssl&t=alpine&osn=alpine&osv=3.13&vr=%3C1.1.1n-r0&utm_source=hub&utm_medium=ExternalLink

I would not call this mission critical, nor do I have a PoC, but it might be worth taking a look at.

Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage.

Our Timesketch setup (and by extension Nginx Config) is modified quite a bit. Not sure if we are representative of everyone, but I will try deploying an updated NGINX and report back how things are going. Might take some time, since I'm fixing some other stuff first.

from timesketch.