Docker container security

This topic describes security considerations and recommendations when using the OpenText Functional Testing for Developers Docker containers.

The Docker images for versions 24.2 and later are based on the Ubuntu operating system. This is a more secure environment than earlier UFT Developer Docker images.

If you are using earlier versions of the Docker images, be aware of the information below.

Docker images for UFT Developer versions 23.4 or earlier are based on the Debian Bookworm operating system. Some vulnerabilities have been reported on this operating system. Therefore, we recommend that you take some measures to address these issues on your Docker containers.

When updated packages that address these vulnerabilities become available in Debian Bookworm, you can create updated images based on the official UFT Developer Docker images. For details on fixed issues, see the Debian security tracker.

This topic includes:

• General issues

• Video and imagery issues

• Update the Docker image

General issues

This section describes general issues to be aware of when using UFT Developer Docker containers.

This section covers the following vulnerabilities: 

• Vulnerability CVE-2023-2953

• Vulnerabilities in Python: CVE-2023-41105, CVE-2023-24329

• Vulnerability CVE-2023-31484

• Vulnerability CVE-2023-38039

• Vulnerability CVE-2023-25193

• Vulnerability CVE-2023-43115

Vulnerability CVE-2023-2953

Description

A vulnerability was found in OpenLDAP, which is included in the UFT Developer docker images.

OpenLDAP is a library that enables programs to replace their built-in authentication with a third party authentication service. Some applications in the Docker image allow logging in using LDAP which is why the library is pulled as a dependency. Under some conditions, a null pointer exception can occur which could result in a crash.

In the UFT Developer docker containers, LDAP is not configured for any of the included application.

Recommendation

There does not seem to be a significant enough security concern to recommend avoiding LDAP altogether.

Vulnerabilities in Python: CVE-2023-41105, CVE-2023-24329

Description

Python is a scripting language widely used in Debian. Vulnerabilities were found in Python's standard library:

• Attempting to normalize a path containing a '\0' (null) character causes the path to be truncated at the '\0' character, which could have security implications. For example, during validation, some paths that should not be accepted may be accepted.

• In the urllib.parse component, attackers can potentially bypass blocklisting methods by providing a URL that starts with blank characters.

Recommendations

• Avoid running Python scripts from unknown or untrusted sources.

• In your Python scripts, make sure to check for '\0' (null characters) before calling normpath.

• Use a multi-layered approach for blocking specific URLs, rather than relying on a single tool.

Vulnerability CVE-2023-31484

Description

A vulnerability was found in Perl, which is included in the UFT Developer docker images.

CPAN, Perl's package manager, does not verify TLS certificates when downloading distributions over HTTPS.

While CPAN comes with the Perl package, it is not set up or initialized in the UFT Developer docker image.

Recommendation

Avoid using CPAN in this version.

Vulnerability CVE-2023-38039

Description

A vulnerability was found in Curl, which is included in the UFT Developer Docker images.

Curl is a widely used library used for handling network requests. The current version does not limit the number or size of incoming headers, which could result in a denial of service by filling the memory.

Recommendations:

• Avoid accessing untrusted websites and network resources.

• Set memory limits on your docker containers to avoid affecting the entire host on which the containers run. For details, see the Docker documentation.

Vulnerability CVE-2023-25193

Description

A vulnerability was found in Harfbuzz, which is included in the UFT Developer docker images.

Harfbuzz is a library involved in the process of rendering text and is widely used by applications and GUI toolkits, including web browsers like Chrome, Edge and Firefox. Under some conditions, the memory usage could grow abnormally high, resulting in a potential denial-of-service.

Recommendation

Set memory limits on your Docker containers to avoid affecting the entire host on which the containers run. For details, see the Docker documentation.

Vulnerability CVE-2023-43115

A vulnerability was found in Ghostscript, which is included in the UFT Developer docker images.

This vulnerability can potentially enable remote code execution:

• Ghostscript is a PDF parsing and rendering library, used in various PDF viewer utilities in Linux distributions. The vulnerability could potentially be abused when you open a specifically crafted PDF or postscript document in one of these utilities.

  However, by default, browsers include their own PDF rendering engines, typically implemented in JavaScript. Therefore, this vulnerability can have an effect only if an external viewer is used to open a PDF file.

• CUPS (the printing server) also depends on Ghostscript, therefore, attempting to print PDF documents could also be problematic.

Recommendations

• Set resource limits (CPU and memory) for Docker containers, to reduce the risk of a denial-of-service.

• Avoid printing PDF files and other postscript documents from untrusted sources, or opening them using external viewers.

Video and imagery issues

This section describes potential security issues that you can avoid by being sure you do not open or play pictures or videos from untrusted sources.

This section covers the following vulnerabilities: 

• Vulnerability CVE-2023-27103

• Vulnerability CVE-2023-39616

• Vulnerabilities in libjxl: CVE-2023-35790, CVE-2023-0645

• Vulnerability CVE-2021-3575

Vulnerability CVE-2023-27103

Description

A vulnerability was reported in the libde265-0 library, which is included in the UFT Developer docker images.

libde265-0 is a codec library for the popular HEVC/H.265 video format. Under some conditions, a heap buffer overflow can occur which can have different consequences, from data corruption and crashes to potential code execution.

Recommendations

• Avoid playing HEVC-encoded videos from untrusted sources.

• Set resource constraints in your containers to limit the affected scope. For details, see the Docker documentation.

Vulnerability CVE-2023-39616

Description

A vulnerability was reported in the libaom library, which is included in the UFT Developer docker images.

libaom is a codec library for the AV1 video format and is used in browsers. Under some conditions, an out of bounds read can occur which could result in the exposure of sensitive information or a denial of service resulting from a crash.

Recommendation

Avoid playing AV1 videos from unknown sources.

Vulnerabilities in libjxl: CVE-2023-35790, CVE-2023-0645

Description

Vulnerabilities were reported in the libjxl library, which is included in the UFT Developer docker images.

This library is used to parse JPEG XL images in browsers, and could potentially be used for security breaches by creating maliciously crafted image on a web page.

Potential breaches: 

• Cause a denial of service, such as an infinite loop.

• Use an out-of-bound read while parsing the EXIF headers of the image file. This could allow a potential attacker to read sensitive data or cause a denial of service by triggering a crash.

However, Chrome and Edge do not support this type of image, and in Firefox, this support is deactivated by default.

Recommendations

• Avoid enabling JPEG-XL support even in browsers that support it.

• If JPEG-XL is required for testing, avoid loading websites that could contain JPEG-XL images from untrusted sources.

• Set CPU usage limits should be set on your containers. For details, see the Docker documentation.

Vulnerability CVE-2021-3575

Description

A vulnerability was reported in the libopenjp2-7 library, which is included in the UFT Developer docker images.

This library is used to parse JPEG 2000 images, and could potentially be used to write out of bounds by a maliciously crafted image. This could result in data corruption, crashes, or remote code execution.

Chrome, Edge, and Firefox do not support JPEG 2000 images.

Recommendation

Avoid downloading or loading JPEG 2000 images from unknown sources.

Update the Docker image

When updated packages that address these vulnerabilities become available in Debian Bookworm, you can create updated images based on the official UFT Developer Docker images.

To create an updated image based on an official UFT Developer Docker image:

1. Create an empty folder.

2. Inside the folder, create a file named Dockerfile (with no extension).

3. Put the following contents in the Dockerfile (in the FROM statement, you can use any of the available uftdeveloper images):

   Copy code

   FROM functionaltesting/uftdeveloper
   USER root
   RUN apt-get update -qqy \
   && apt-get -qqy upgrade \
   && rm -rf /var/lib/apt/lists/*
   USER $user

4. Run the following command:

   Copy code

   docker build <path to the folder containing Dockerfile> -t local-uftdeveloper

5. After the build completes, use the locally created image. For example: 

   Copy code

   docker run <args> local-uftdeveloper