Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE November 2024 #4933

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

CVE November 2024 #4933

wants to merge 5 commits into from

Conversation

jaredb96
Copy link
Contributor

No description provided.

jaredb96
jaredb96 commented Nov 18, 2024
View reviewed changes
build.sbt
case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk update"),
case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk add --no-cache openssl"),
Cmd("RUN", "apk update"),
Cmd("RUN", "apk upgrade"),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolves CVE-2024-5535, CVE-2024-45492, and CVE-2024-45491 - all critical cves

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually resolves the majority of the critical / high cves:

CVE-2024-5535 (libcrypto3, libssl3)
CVE-2024-45492, CVE-2024-45491 (libexpat)
CVE-2024-6119 (libcrypto3, libssl3)
CVE-2024-4603 (libcrypto3, libssl3)
CVE-2024-4741, CVE-2024-2511 (libcrypto3, libssl3)

Current cves:

NAME                INSTALLED       FIXED-IN                                              TYPE          VULNERABILITY        SEVERITY 
apache-mime4j-core  0.8.9           0.8.10                                                java-archive  GHSA-jw7r-rxff-gv24  Medium    
guava               31.0.1-android  32.0.0-android                                        java-archive  GHSA-7g45-4rm6-3mm3  Medium    
guava               31.0.1-android  32.0.0-android                                        java-archive  GHSA-5mg8-w23w-74h3  Low       
keycloak-core       25.0.3          25.0.4                                                java-archive  GHSA-xmmm-jw76-q7vg  Medium    
netty-common        4.1.94.Final    4.1.115                                               java-archive  GHSA-xq3w-v528-46rv  High      
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21147       High      
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21235       Medium    
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21145       Medium    
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21140       Medium    
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21217       Low       
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21210       Low       
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21208       Low       
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21138       Low       
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21131       Low       
openjdk             21.0.2+13-LTS   1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412  binary        CVE-2024-21094       Low       
openjdk             21.0.2+13-LTS   1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412  binary        CVE-2024-21068       Low       
openjdk             21.0.2+13-LTS   11.0.23, 17.0.11, 21.0.3, 22.0.1                      binary        CVE-2024-21012       Low       
openjdk             21.0.2+13-LTS   1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412  binary        CVE-2024-21011       Low       
zookeeper           3.8.3           3.8.4                                                 java-archive  GHSA-r978-9m6m-6gm6  Medium

jaredb96
jaredb96 commented Nov 18, 2024
View reviewed changes
build.sbt
@@ -67,7 +67,7 @@ lazy val dockerSettings = Seq(
dockerBaseImage := "eclipse-temurin:21.0.2_13-jdk-alpine",
dockerRepository := Some("hmda"),
dockerCommands := dockerCommands.value.flatMap {
case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk add --no-cache openssl"),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove here since it isn't necessary, the upgrade resolves this cve, although we could use this base image as well: eclipse-temurin:21.0.5_11-jdk-alpine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jaredb96