Can someone please advise on how to fix the vulnerabilities found by Klar using Clair scanner for my Azure ACR image. I'm still new to working with containers.
Here is a sample of the result from Klar
Found in: apparmor [2.10.95-0ubuntu2.11]
Fixed By:
In all versions of AppArmor mount rules are accidentally widened when compiled.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585
-----------------------------------------
CVE-2020-3810: [Medium]
Found in: apt [1.2.32]
Fixed By: 1.2.32ubuntu0.1
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-3810
-----------------------------------------
CVE-2018-11237: [Medium]
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237
-----------------------------------------
CVE-2018-6485: [Medium]
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485
-----------------------------------------
CVE-2017-18269: [Medium]
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-18269
-----------------------------------------
CVE-2020-1751: [Medium]
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
-----------------------------------------```
To fix vulnerability error in container images you normally need to often simply recompile your image by updating the FROM statement with a more recent version of the base image you are using.
e.g. https://hub.docker.com/_/ubuntu?tab=tags
as you can see this image is getting updated quite often.
If you are using a specific tag (or latest) you might need to delete the image form your local build machine (e.g. docker rmi ) to force your docker daemon to re pull the image on the next
docker buildcommand