Security vulnerabilities with version 8-jre-slim

[Prabhaker24]

I work for a product that uses Apache Zookeeper images located at Docker Hub (https://hub.docker.com/_/zookeeper). We are currently using image version 3.5.4-beta and are looking to upgrade the image to address security vulnerabilities. The latest available version of the image 3.5.5 appears to have several critical and high severity vulnerabilities as well, as per [this |https://hub.docker.com/_/zookeeper/scans/library/zookeeper/3.5.5] report. We had raised an issue regarding that and the Zookeeper community came back and said that 9 out of 10 vulnerable components come from OpenJDK:8-jre-slim base image:
https://hub.docker.com/_/openjdk/scans/library/openjdk/8-jre-slim

you can look into The scan report (https://hub.docker.com/_/zookeeper/scans/library/zookeeper/3.5.5) available in Docker hub for the image, also shows several critical/high severity vulnerabilities. (Note: the user must be logged in to Docker Hub to be able to see the report).

I was curious to know that will you guys be addressing it in the future.

[wglambert]

See docker-library/postgres#286 (comment) #161, #112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, #185.
And https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

---

https://security-tracker.debian.org/tracker/CVE-2017-14061 - fixed
https://security-tracker.debian.org/tracker/CVE-2017-14062 - fixed

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893

• BUG: 64-bit argument comparisons do not work correctly (CVE-2019-9893) seccomp/libseccomp#139
  No security issue by itself

berkeleydb 5.3.28+dfsg1-0.5 docker-library/python#413 (comment)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3151

• NOT-FOR-US: Historic Ubuntu init script issue

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20796

• Not treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9192

• the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050

• NOT-FOR-US: Conceptual weakness in PGP keyserver design

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524 - fixed

[tianon]

Indeed, the only package in the current openjdk:8-jre-slim image that has an update available at all is tzdata:

$ docker pull openjdk:8-jre-slim
8-jre-slim: Pulling from library/openjdk
Digest: sha256:8489e5a8e8a144ae7c41cbc2b95de8a7618cc31c7ae3ecb9db8d4b667ee84ff1
Status: Image is up to date for openjdk:8-jre-slim

$ docker run -it --rm openjdk:8-jre-slim bash -xc 'apt-get update -qq && apt-get dist-upgrade'
+ apt-get update -qq
+ apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  lsb-base
Use 'apt autoremove' to remove it.
The following packages will be upgraded:
  tzdata
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 260 kB of archives.
After this operation, 1024 B of additional disk space will be used.
Do you want to continue? [Y/n] 

[Prabhaker24]

@wglambert thanks for the update

[Prabhaker24]

@tianon does this package has the updated version in which these issues are resolved?

[tianon]

Yes, as displayed in my comment above, this image contains any updates it possibly can minus tzdata (which is not a security update, AFAIK, but will be picked up with our next Debian update).