Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openjdk:8u212-jdk-alpine3.9 Docker image has high security vulnerability #321

Closed
sumankumarz opened this issue May 21, 2019 · 3 comments
Closed

openjdk:8u212-jdk-alpine3.9 Docker image has high security vulnerability #321

sumankumarz opened this issue May 21, 2019 · 3 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@sumankumarz
Copy link

Hi,

I have scanned openjdk:8u212-jdk-alpine3.9 docker image and found 1 High and 2 Medium security vulnerabilities. We are using Twistlock to scan the Docker images.

RUN set -x && apk add --no-cache openjdk8="$JAVA_ALPINE_VERSION" && [ "$JAVA_HOME" = "$(docker-java-home)" ]May 11, 2019 3:32:17 AM 99.3 MB 21
ComponentVersionVulnerabilitySeveritysqlite (used in sqlite-libs)3.26.0-r3CVE-2019-5018 highlibjpeg-turbo1.5.3-r4CVE-2018-14498 mediumlibtasn14.13-r0CVE-2018-1000654 medium sqlite (used in sqlite-libs) 3.26.0-r3
-- -- --
sqlite (used in sqlite-libs) 3.26.0-r3 CVE-2019-5018
libjpeg-turbo 1.5.3-r4 CVE-2018-14498
libtasn1 4.13-r0 CVE-2018-1000654

How can I fix this?
@sumankumarz
Copy link
Author

It seems "CVE-2019-5018" is fixed in sqllite version 3.28. Refer this - https://meterpreter.org/cve-2019-5018-sqlite-remote-code-execution-vulnerability/

@wglambert wglambert added the question Usability question, not directly related to an error with the image label May 21, 2019
@wglambert
Copy link

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And docker-library/postgres#286 (comment) #161, #112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, #185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

With Debian we refer to their CVE tracker:
https://security-tracker.debian.org/tracker/CVE-2018-1000654 Which notes that the issue has "No security impact" and is unfixed.
https://security-tracker.debian.org/tracker/CVE-2018-14498 Unfixed in Stretch
https://security-tracker.debian.org/tracker/CVE-2019-5018 Stretch/Jessie are unaffected

@yosifkit
Copy link
Member

How can I fix this?

Help Alpine to produce updated packages or maybe file bugs, since only one has a bug filed.

https://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2019-5018
https://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2018-14498
https://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2018-1000654

Since there is nothing we can do in the image, I'll close.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yosifkit @sumankumarz @wglambert