Vulnerabilities detected in GCP Scim deployment, how to best patch?

AndrewKalat
AndrewKalat
Community Member

Good day,
We recently deployed 1Pass SCIM to our GCP environment, but our vulnerability management tool has flagged a number of high and critical vulnerabilities with the deployment. They primarily appear to be with the Google Container Optimized OS environment the SCIM is using. Example below.

My main question is what the appropriate process for remediating/patching these vulnerabilities? I am new to SCIM and GCP, so I'm a bit unsure of the right path forward. At first glance, it appears the container is tied to the main SCIM provision, and isn't independently upgraded. Anyway, the question is what is the best path forward to patch for these vulnerabilities? It appears the Container OS needs to be upgraded.

Example:
The machine running Container-Optimized OS version 89.16108.604.28 is vulnerable to CVE-2022-1292, which exists in versions >= 89.0.0.0, < 89.16108.659.14. The vulnerability affects the package openssl, which is installed by default on the Container-Optimized OS image.

The vulnerability was found in the Container-Optimized OS Release Notes with NVD severity: Critical.

The vulnerability can be remediated by updating the image version to 89.16108.659.14 or higher.
Name CVE-2022-1292
Severity Critical
Detailed Name openssl
Version 89.16108.604.28
Fixed Version 89.16108.659.14
Detection Method Operating System
Data Source Link cloud.google.com
Detected by Package openssl

Another example:
Description The package zlib1g version 1:1.2.11.dfsg-2 was detected in APT package manager on a container image running Debian 11.0 is vulnerable to CVE-2018-25032, which exists in versions < 1:1.2.11.dfsg-2+deb11u1.

The vulnerability was found in the Official Debian Security Advisories with vendor severity: High (NVD severity: High).

The vulnerability can be remediated by updating the package to version 1:1.2.11.dfsg-2+deb11u1 or higher, by adding the following command to the Dockerfile: RUN apt upgrade zlib1g.
Name CVE-2018-25032
Severity High
Detailed Name zlib1g
Version 1:1.2.11.dfsg-2
Fixed Version 1:1.2.11.dfsg-2+deb11u1

Thanks in advance for any help or pointers.


1Password Version: 2.4.0
Extension Version: Not Provided
OS Version: Google Container Optimized OS

Comments

  • Hi @AndrewKalat

    Thank you for getting in touch and highlighting the vulnerabilities. I'm a little surprised that our internal tool hadn't highlighted these, but as you said I was able to confirm these vulnerabilities exist. Updating them will require a new release of the SCIM bridge. I can start the ball rolling for this. I will let you know once a new version of the SCIM bridge is available.

    Again, I really appreciate you highlighting this. I will certainly keep this feedback in mind to reassess our tooling for this.

    Kind regards, Hass

  • AndrewKalat
    AndrewKalat
    Community Member

    Great, thanks.

This discussion has been closed.