Upgrade docker base image for RIVA

AI & Data Science Deep Learning (Training & Inference) Riva
1

We are using RIVA 2.14.0 docker image (nvcr.io/nvidia/riva/riva-speech:2.14.0) in our current testing.

Our devops team has found the following critical vulnerabilities in the container

nvcr.io/nvidia/riva/riva-speech:2.14.0 os-pkgs ubuntu CVE-2022-23521 git 1:2.25.1-1ubuntu3.5 1:2.25.1-1ubuntu3.8 git: gitattributes parsing integer overflow CRITICAL

nvcr.io/nvidia/riva/riva-speech:2.14.0 os-pkgs ubuntu CVE-2022-41903 git 1:2.25.1-1ubuntu3.5 1:2.25.1-1ubuntu3.8 git: Heap overflow in git archive, git log --format leading to RCE CRITICAL

nvcr.io/nvidia/riva/riva-speech:2.14.0 os-pkgs ubuntu CVE-2022-23521 git-man 1:2.25.1-1ubuntu3.5 1:2.25.1-1ubuntu3.8 git: gitattributes parsing integer overflow CRITICAL

nvcr.io/nvidia/riva/riva-speech:2.14.0 os-pkgs ubuntu CVE-2022-41903 git-man 1:2.25.1-1ubuntu3.5 1:2.25.1-1ubuntu3.8 git: Heap overflow in git archive, git log --format leading to RCE CRITICAL

We need upgrade the ubuntu base image to fix the vulnerabilities.

The NVidia NGC has no other fixes for 2.14.0.

Please suggest how we can fix this.

Hardware - GPU (A100/A30/T4/V100) – A100
Hardware - CPU – AMD EPYC 16 Core
Operating System – RHEL 8.8
Riva Version 2.14.0
TLT Version (if relevant) NA

2

Hi @vikesh.raj ,
May i know what is the security scanning tool you are using?
Thanks

3

Sorry for the late reply.

We are using Trivy Scanner for scanning the docker images.

Can you let us know how to build the base images with updated software versions or publish a new image based on 2.14.0