Screenshot 2024-04-03 at 12.02.33.png
image-2024-04-03-08-15-12-744.png
[ZBX-24290] Running a virus scan of the Zabbix Proxy docker images results in a malware alert Created: 2024 Apr 02 Updated: 2024 Apr 03 |
|
| Status: | Confirmed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Proxy (P) |
| Affects Version/s: | 6.4.12, 6.4.13 |
| Fix Version/s: | None |
| Type: | Defect (Security) | Priority: | Trivial |
| Reporter: | Henrik Jessen Egholm | Assignee: | Alexey Pustovalov |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | proxy | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
docker image zabbix/zabbix-proxy-sqlite3:alpine-6.4.13 |
||
| Attachments: |
Screenshot 2024-04-03 at 12.02.33.png
image-2024-04-03-08-15-12-744.png
|
| Description |
|
docker pull zabbix/zabbix-proxy-sqlite3:alpine-6.4.13 docker save /tmp/zabbix-proxy-sqlite3-6.4.13 submit to https://www.virustotal.com/ Result : https://www.virustotal.com/gui/file/418ae0447fd17871e6d1390e437f89a7797c4ca2129158e8ed0001ca552982d0?nocache=1 |
| Comments |
| Comment by Edgar Akhmetshin [ 2024 Apr 02 ] |
|
Dear Henrik, Could you please provide more information on a vulnurable part of image you are referring. According to https://www.virustotal.com/ portal it's not clear which part of the image is infected by malware. Also I have made same steps and uploaded the image:
docker pull zabbix/zabbix-proxy-sqlite3:alpine-6.4.13
alpine-6.4.13: Pulling from zabbix/zabbix-proxy-sqlite3
bca4290a9639: Already exists
99a0dddffc2c: Pull complete
144f2e3bcbce: Pull complete
d36b9ec1c317: Pull complete
93d192765e2a: Pull complete
7fd7abae63dc: Pull complete
4f4fb700ef54: Pull complete
1ae684915b6e: Pull complete
Digest: sha256:1f0fb2892f6682b48187024d8d0a187e797bc91d4925e5e74416dd8367f4b203
Status: Downloaded newer image for zabbix/zabbix-proxy-sqlite3:alpine-6.4.13
docker.io/zabbix/zabbix-proxy-sqlite3:alpine-6.4.13
docker save zabbix/zabbix-proxy-sqlite3:alpine-6.4.13 > ~/Downloads/zabbix-proxy-sqlite3-6.4.13 Please check your system for viruses/malware/etc... Cannot reproduce. Regards,
|
| Comment by Henrik Jessen Egholm [ 2024 Apr 03 ] |
|
Hi Edgar I have testet on multiple machines now, same result. So i doubt its malisious software on my end.. I did a docker image inspect, if you do the same we can compare:
// [ { "Id": "sha256:82b04fe5beb1262b8e9885a96bc4237d6edbde2f95e222cc007ef9bc9f5e7a26", "RepoTags": [ "zabbix/zabbix-proxy-sqlite3:latest" ], "RepoDigests": [ "zabbix/zabbix-proxy-sqlite3@sha256:118d0d53d6e6c24924c7de76e6646020fa5ae56e84bf145b4f9b1a83bb1de6da" ], "Parent": "", "Comment": "buildkit.dockerfile.v0", "Created": "2023-11-01T16:49:26.601779081Z", "DockerVersion": "", "Author": "", "Config": { "Hostname": "", "Domainname": "", "User": "1997", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "10051/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm", "ZBX_VERSION=6.4.8", "ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git", "MIBDIRS=/usr/share/snmp/mibs:/var/lib/zabbix/mibs", "MIBS=+ALL" ], "Cmd": [ "/usr/sbin/zabbix_proxy", "--foreground", "-c", "/etc/zabbix/zabbix_proxy.conf" ], "ArgsEscaped": true, "Image": "", "Volumes": { "/var/lib/zabbix/snmptraps": {} }, "WorkingDir": "/var/lib/zabbix", "Entrypoint": [ "/sbin/tini", "--", "/usr/bin/docker-entrypoint.sh" ], "OnBuild": null, "Labels": { "org.opencontainers.image.authors": "Alexey Pustovalov <[email protected]>", "org.opencontainers.image.created": "2023-11-01T16:47:54.637Z", "org.opencontainers.image.description": "Zabbix proxy with SQLite3 database support", "org.opencontainers.image.documentation": "https://www.zabbix.com/documentation/6.4/manual/installation/containers", "org.opencontainers.image.licenses": "GPL v2.0", "org.opencontainers.image.revision": "f67b49d04ef805698a6e56fc0755bfceb7908651", "org.opencontainers.image.source": "https://git.zabbix.com/scm/zbx/zabbix.git", "org.opencontainers.image.title": "Zabbix proxy (SQLite3)", "org.opencontainers.image.url": "https://zabbix.com/", "org.opencontainers.image.vendor": "Zabbix LLC", "org.opencontainers.image.version": "6.4.8" }, "StopSignal": "SIGTERM" }, "Architecture": "amd64", "Os": "linux", "Size": 48850709, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/536e6dab68a38513a98005d28826d3d0915a8f3a8664d234a27d7fb786f2f26e/diff:/var/lib/docker/overlay2/21152cb5499011aa7e7300c9468765f3b3e5bae56b22e298317e52f8eee51e1f/diff:/var/lib/docker/overlay2/b27b1567bdda2f5d3ecc9ffd8ef8bb7f82fa7d9dc23426d0b0ee94816681e209/diff:/var/lib/docker/overlay2/7b8886a52a9137695b37ac8a1ea976fe4a42a846d064956b665b1894fbf314ca/diff:/var/lib/docker/overlay2/5a84401ec6c304fd6a9adccbca5d14263dd89426b21561095ad5b65f79f25168/diff:/var/lib/docker/overlay2/e72ed5a5c7253a0510682918842863fd9ac00e8eec627ccb79f89bc6b6468967/diff:/var/lib/docker/overlay2/4a6e82b2b0b268331eedbdc7de9f69497c79c22b9e4b253f8648d0b460594825/diff", "MergedDir": "/var/lib/docker/overlay2/874be7c715f796f0641cdefb2a120d3337cde5120ab9f3e206030808fc5ec176/merged", "UpperDir": "/var/lib/docker/overlay2/874be7c715f796f0641cdefb2a120d3337cde5120ab9f3e206030808fc5ec176/diff", "WorkDir": "/var/lib/docker/overlay2/874be7c715f796f0641cdefb2a120d3337cde5120ab9f3e206030808fc5ec176/work" }, "Name": "overlay2" }, "RootFS": { "Type": "layers", "Layers": [ "sha256:36b50b131297b8860da51b2d2b24bb4c08dfbdf2789b08e3cc0f187c98637a19", "sha256:520348355cf92101cf5cd1288790c58313ddfd581ecbb43b2dccca4110c633f4", "sha256:329bacefe2b66f10ea98f24faf0b98ff2f41e03d566e7650260c8f051da2ed5b", "sha256:f4b94fa65fa4b0ed7195bdbbe553c8f34cebd5969fe3a235f9302a375ec5135f", "sha256:de97434a06f350eeab9c21302e3508c047bc1b4edc1ce2a267498fb39230416b", "sha256:2a7c01a846f70fda7b68999c5ff720a9d84f779730d4f142e48b08dcdd0c59c1", "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef", "sha256:eb8d05dd946fb43b8f031762a20b436aeed61847d99a6eefbdad1bffc9c2e17b" ] }, "Metadata": { "LastTagTime": "0001-01-01T00:00:00Z" } } ] |
| Comment by Edgar Akhmetshin [ 2024 Apr 03 ] |
|
6.4.13 as stated in the issue, not 6.4.8 like yours. From the link provided by you https://www.virustotal.com/gui/file/418ae0447fd17871e6d1390e437f89a7797c4ca2129158e8ed0001ca552982d0?nocache=1 it's not clear what is the issue, since no details given. Provide details or we are going to close as Cannot reproduce, since we are not able to repeat the issue.
docker inspect zabbix/zabbix-proxy-sqlite3:alpine-6.4-latest
[
{
"Id": "sha256:8250871245a2b5988cae1d987ad7ddf05005657ff02368ef3783943995eebafb",
"RepoTags": [
"zabbix/zabbix-proxy-sqlite3:alpine-6.4-latest"
],
"RepoDigests": [
"zabbix/zabbix-proxy-sqlite3@sha256:894dde297b786ae64857f36d349abe234de4086d0292443199a7068e31095f57"
],
"Parent": "",
"Comment": "buildkit.dockerfile.v0",
"Created": "2024-03-25T19:32:28.085938184Z",
"Container": "",
"ContainerConfig": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": null,
"Cmd": null,
"Image": "",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"DockerVersion": "",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "1997",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"10051/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"ZBX_VERSION=6.4.13",
"ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git",
"MIBDIRS=/usr/share/snmp/mibs:/var/lib/zabbix/mibs",
"MIBS=+ALL",
"NMAP_PRIVILEGED="
],
"Cmd": [
"/usr/sbin/zabbix_proxy",
"--foreground",
"-c",
"/etc/zabbix/zabbix_proxy.conf"
],
"ArgsEscaped": true,
"Image": "",
"Volumes": {
"/var/lib/zabbix/snmptraps": {}
},
"WorkingDir": "/var/lib/zabbix",
"Entrypoint": [
"/sbin/tini",
"--",
"/usr/bin/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"org.opencontainers.image.authors": "Alexey Pustovalov <[email protected]>",
"org.opencontainers.image.created": "2024-03-25T19:31:30.129Z",
"org.opencontainers.image.description": "Zabbix proxy with SQLite3 database support",
"org.opencontainers.image.documentation": "https://www.zabbix.com/documentation/6.4/manual/installation/containers",
"org.opencontainers.image.licenses": "GPL v2.0",
"org.opencontainers.image.revision": "6b85028331f30dcd3440888d846babd12eb01ae2",
"org.opencontainers.image.source": "https://git.zabbix.com/scm/zbx/zabbix.git",
"org.opencontainers.image.title": "Zabbix proxy (SQLite3)",
"org.opencontainers.image.url": "https://zabbix.com/",
"org.opencontainers.image.vendor": "Zabbix LLC",
"org.opencontainers.image.version": "6.4.13"
},
"StopSignal": "SIGTERM"
},
"Architecture": "arm64",
"Os": "linux",
"Size": 57883698,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/801d17c977eff86df9d17d34430d96c3a16f0724c7df40a9ec97c60e06682db5/diff:/var/lib/docker/overlay2/c0d1b9917e21aeaadabcb87aed0f58dae791b0fbabacd45e60bf680328492ea2/diff:/var/lib/docker/overlay2/50efeced6a88fc4c0f2ff6718b66fc24e9be24155a256a4b46fb302c0c84f06b/diff:/var/lib/docker/overlay2/6155b00bb7689c948089cae4984fe8c4cecd37d1d3e426abd29c5d65edce9c1a/diff:/var/lib/docker/overlay2/e1097069af1160abe525697a1321ff0fbf2246e038f8d5725c66252e8fd4fbce/diff:/var/lib/docker/overlay2/f369e0020da36d0be7e0a2a8bd87c6c058d1a667027dd119c603cc99f60b30e0/diff:/var/lib/docker/overlay2/6b700c6ef0352ae6d34903a37301c3e10c99c9145776d75c6657a3e5629351c4/diff",
"MergedDir": "/var/lib/docker/overlay2/19adcc0afa47e95420e7788e01c1f01d791e40b2cef8550577361113b998b2f4/merged",
"UpperDir": "/var/lib/docker/overlay2/19adcc0afa47e95420e7788e01c1f01d791e40b2cef8550577361113b998b2f4/diff",
"WorkDir": "/var/lib/docker/overlay2/19adcc0afa47e95420e7788e01c1f01d791e40b2cef8550577361113b998b2f4/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:b09314aec293bcd9a8ee5e643539437b3846f9e5e55f79e282e5f67e3026de5e",
"sha256:3fc4faee24520134b1774b9d64c4735de263e0e043f6609897d05002c319c42a",
"sha256:e1cdcd5ac1263081749cf0190bfc1c0ed9c39fa0c47e79249530e8a18086c12f",
"sha256:9cb48388009572cf1fb936b415d71f53c6aa6d717b6bc24075f45d17601ae3e8",
"sha256:ac23823325a52a6523d2d52896f6762776f6f03b87e79f10b4edeb318129e801",
"sha256:60fd60f69253aeaa3767ff31562570453c164cdc6c506261134016a186e5f7ae",
"sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
"sha256:5206971b7aa73bc15148101df4cec74bf85065e20cab8d7311e905ba05107488"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
|
| Comment by Henrik Jessen Egholm [ 2024 Apr 03 ] |
|
Sorry i inspected the wrong image, here is the correct one:
[hje@legion5 test]$ docker image inspect zabbix/zabbix-proxy-sqlite3:alpine-6.4.13
[
{
"Id": "sha256:0984689f3365ff0e5c8cd15f16ecdf01531d339d56c0ddc34225c4c9ecbc88c1",
"RepoTags": [
"zabbix/zabbix-proxy-sqlite3:alpine-6.4.13"
],
"RepoDigests": [
"zabbix/zabbix-proxy-sqlite3@sha256:1f0fb2892f6682b48187024d8d0a187e797bc91d4925e5e74416dd8367f4b203"
],
"Parent": "",
"Comment": "buildkit.dockerfile.v0",
"Created": "2024-03-25T19:15:03.326861911Z",
"DockerVersion": "",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "1997",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"10051/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"ZBX_VERSION=6.4.13",
"ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git",
"MIBDIRS=/usr/share/snmp/mibs:/var/lib/zabbix/mibs",
"MIBS=+ALL",
"NMAP_PRIVILEGED="
],
"Cmd": [
"/usr/sbin/zabbix_proxy",
"--foreground",
"-c",
"/etc/zabbix/zabbix_proxy.conf"
],
"ArgsEscaped": true,
"Image": "",
"Volumes": {
"/var/lib/zabbix/snmptraps": {}
},
"WorkingDir": "/var/lib/zabbix",
"Entrypoint": [
"/sbin/tini",
"--",
"/usr/bin/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"org.opencontainers.image.authors": "Alexey Pustovalov <[email protected]>",
"org.opencontainers.image.created": "2024-03-25T19:14:13.088Z",
"org.opencontainers.image.description": "Zabbix proxy with SQLite3 database support",
"org.opencontainers.image.documentation": "https://www.zabbix.com/documentation/6.4/manual/installation/containers",
"org.opencontainers.image.licenses": "GPL v2.0",
"org.opencontainers.image.revision": "6b85028331f30dcd3440888d846babd12eb01ae2",
"org.opencontainers.image.source": "https://git.zabbix.com/scm/zbx/zabbix.git",
"org.opencontainers.image.title": "Zabbix proxy (SQLite3)",
"org.opencontainers.image.url": "https://zabbix.com/",
"org.opencontainers.image.vendor": "Zabbix LLC",
"org.opencontainers.image.version": "6.4.13"
},
"StopSignal": "SIGTERM"
},
"Architecture": "amd64",
"Os": "linux",
"Size": 51551829,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/efa3da25a42aa19cf1c310fc01818da960b187a6f7d1ee2a0ebd30f13614387a/diff:/var/lib/docker/overlay2/ee80dabd4a6bf26906b6b9d65fc6eb887b53078cc2686e28a10ef64745e97ea7/diff:/var/lib/docker/overlay2/62cac2e266e852aab3490581e7df0e90754f779027f11abab1ee6d1303195434/diff:/var/lib/docker/overlay2/699f692012b3decf51fdeae1adb73f1d6ffdf937b4b15ffa12ba72e80305c58d/diff:/var/lib/docker/overlay2/6960034ae1176ef00d3316ac22ebfc076c6aa8c2873f3911faab01fedf63479e/diff:/var/lib/docker/overlay2/f5fd63441cb2dbefda393eb51be265431e412e19e8b9c57d97e2e4abdebc1cf3/diff:/var/lib/docker/overlay2/789506d06d61e48cb2e75cc6680635e7644f45df314eda7842bf018a1423a469/diff",
"MergedDir": "/var/lib/docker/overlay2/5de271d6413a4f9ce53e8a9ba67a44800c4f71a2e8e0d14b8332f38cc2513748/merged",
"UpperDir": "/var/lib/docker/overlay2/5de271d6413a4f9ce53e8a9ba67a44800c4f71a2e8e0d14b8332f38cc2513748/diff",
"WorkDir": "/var/lib/docker/overlay2/5de271d6413a4f9ce53e8a9ba67a44800c4f71a2e8e0d14b8332f38cc2513748/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820",
"sha256:9754da84522648019373734f522c9a6170a0650ef3ce6e36a79e99e4ef0f1708",
"sha256:003055421ece2d16ffa68ebb96c79025f2e13f4b0dd45a31d6f0492789023dd8",
"sha256:f47a5be3e01d6d335f457b454672c482edd7bc804aa6685c1cd51e143a1f90f1",
"sha256:901ddd4cc3237b0d82fa3d577841023afe5ea66c180f531761aa7f5ad014e057",
"sha256:39b64b507ce1e17a62b9a47cc1e0a893aafee696cd7f99f8173dd46c0b5f12c6",
"sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
"sha256:8d9ace76e6944ce1a136478b11f193452b358891f3128d6a4a765779029e0971"
]
},
"Metadata": {
"LastTagTime": "2024-04-02T19:53:50.718509391+02:00"
}
}
]
And after extracting that image's blobs and submitting the files, i found it is the busybox file in the image that gives the warning:
You are inspecting alpine-6.4-latest could you try with alpine-6.4.13 instead? |
| Comment by Mark Lahn Nykjær [ 2024 Apr 03 ] |
|
I have pulled, saved and uploaded these versions, and they all flag up on virustotal: zabbix-proxy-sqlite3:alpine-6.4.13 - https://www.virustotal.com/gui/file/60bae1029a80e7e17379ad8e6744ec825beb2a3ff25de89e49415c51abf5b68e?nocache=1 zabbix-proxy-sqlite3:alpine-6.4.12 - https://www.virustotal.com/gui/file/6d6e74e5e8e93be5653f2df9b80cda2fe7f8286a19a0c17e312065bcce047ab3?nocache=1 zabbix-proxy-sqlite3:alpine-6.4-latest - https://www.virustotal.com/gui/file/f82cab38eb4e9c05a1cceeb13b92336b6dde0debbcdf9f404b9fc9be53ba8081?nocache=1 zabbix-proxy-sqlite3:alpine-6.4.11 does not flag anything on VT.
These are pulled from DockerHub and have the following checksums: $ docker images |
| Comment by Edgar Akhmetshin [ 2024 Apr 03 ] |
|
Hello Henrik, Found the difference, my system is arm64 and default images are arm64 (totally forgot about this With --platform flag for amd64 images can reproduce the issue. Thank you for pinpointing to busybox part, since virus total shows mostly nothing about issue, just 'I don't like this'. Regards, |
| Comment by Edgar Akhmetshin [ 2024 Apr 03 ] |
|
Probably related to some of the unresolved CVE issues of the alpine project: |
), so any arm64 is not affected by this issue. 