Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Che server vulnerabilities #22062

Closed
martinelli-francesco opened this issue Mar 16, 2023 · 3 comments · Fixed by eclipse-che/che-server#472
Closed

Che server vulnerabilities #22062

martinelli-francesco opened this issue Mar 16, 2023 · 3 comments · Fixed by eclipse-che/che-server#472
Assignees
@vinokurig
Labels
area/che-server area/security kind/bug Outline of a bug - must adhere to the bug report template. new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes severity/P1 Has a major impact to usage or development of the system. sprint/current status/release-notes-review-needed Issues that needs to be reviewed by the doc team for the Release Notes wording
Milestone
7.64

Comments

@martinelli-francesco
Copy link

Describe the bug

Trivy's scan reports many vulnerabilities for the Che server (including critical and high vulnerabilities). Some of them are related to Postgresql which has been deprecated and is no longer used by Che. Some critical ones are related to com.h2database:h2 for which a new version is proposed in the report.

Repository: eclipse/che-server
Tag: 7.62.0
Critical: 7
High: 13

vulnerabilityID severity resource installedVersion fixedVersion
CVE-2023-0767 HIGH nss 3.79.0-10.el8_6 3.79.0-11.el8_7
CVE-2023-0767 HIGH nss-softokn 3.79.0-10.el8_6 3.79.0-11.el8_7
CVE-2023-0767 HIGH nss-softokn-freebl 3.79.0-10.el8_6 3.79.0-11.el8_7
CVE-2023-0767 HIGH nss-sysinit 3.79.0-10.el8_6 3.79.0-11.el8_7
CVE-2023-0767 HIGH nss-util 3.79.0-10.el8_6 3.79.0-11.el8_7
CVE-2021-23463 CRITICAL com.h2database:h2 1.4.196 2.0.202
CVE-2021-42392 CRITICAL com.h2database:h2 1.4.196 2.0.206
CVE-2022-23221 CRITICAL com.h2database:h2 1.4.196 2.1.210
GHSA-h376-j262-vhq6 UNKNOWN com.h2database:h2 1.4.196 2.0.206
CVE-2023-24998 HIGH commons-fileupload:commons-fileupload 1.4 1.5
CVE-2023-24998 HIGH commons-fileupload:commons-fileupload 1.4 1.5
CVE-2019-0205 HIGH org.apache.thrift:libthrift 0.12.0 0.13.0
CVE-2019-0210 HIGH org.apache.thrift:libthrift 0.12.0 0.13.0
CVE-2020-13949 HIGH org.apache.thrift:libthrift 0.12.0 0.14.0
CVE-2022-42252 HIGH org.apache.tomcat:tomcat-coyote 10.0.14 8.5.83, 9.0.68, 10.0.27, 10.1.1
CVE-2022-21724 CRITICAL org.postgresql:postgresql 42.2.24 42.2.25, 42.3.2
CVE-2022-21724 CRITICAL org.postgresql:postgresql 42.2.24 42.2.25, 42.3.2
CVE-2022-26520 CRITICAL org.postgresql:postgresql 42.2.24 42.3.3
CVE-2022-26520 CRITICAL org.postgresql:postgresql 42.2.24 42.3.3
CVE-2022-31197 HIGH org.postgresql:postgresql 42.2.24 42.2.26, 42.3.7, 42.4.1
CVE-2022-31197 HIGH org.postgresql:postgresql 42.2.24 42.2.26, 42.3.7, 42.4.1

Che version

7.61@latest

Steps to reproduce

trivy image quay.io/eclipse/che-server:7.62.0

Expected behavior

Remove Postgresql libs and fix at least the critical ones

Runtime

Kubernetes (vanilla)

Screenshots

No response

Installation method

chectl/latest

Environment

Linux

Eclipse Che Logs

No response

Additional context

No response
@martinelli-francesco martinelli-francesco added the kind/bug Outline of a bug - must adhere to the bug report template. label Mar 16, 2023
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Mar 16, 2023
@nickboldt nickboldt added severity/P1 Has a major impact to usage or development of the system. area/security area/che-server sprint/next and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Mar 16, 2023
@nickboldt nickboldt modified the milestones: 7.63, 7.64 Mar 16, 2023
@nickboldt
Copy link
Contributor

Tentatively setting milesont 7.64; if we can bang this out next week for 7.63, so much the better.

@ibuziuk ibuziuk mentioned this issue Mar 17, 2023
Closed
50 tasks
@ibuziuk
Copy link
Member

ibuziuk commented Mar 22, 2023

@vinokurig thanks for looking into this, would it be possible to also merge the pending the dependency update PRs - https://github.com/eclipse-che/che-server/pulls ?

This was referenced Mar 29, 2023
Merged
Closed
Closed
@l0rd l0rd added new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes status/release-notes-review-needed Issues that needs to be reviewed by the doc team for the Release Notes wording labels Mar 30, 2023
@devstudio-release
Copy link

sync'd to Red Hat JIRA https://issues.redhat.com/browse/CRW-4159

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinokurig vinokurig

Labels
area/che-server area/security kind/bug Outline of a bug - must adhere to the bug report template. new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes severity/P1 Has a major impact to usage or development of the system. sprint/current status/release-notes-review-needed Issues that needs to be reviewed by the doc team for the Release Notes wording
Projects
None yet
Milestone
7.64
Development

Successfully merging a pull request may close this issue.

Fix vulnerable dependencies eclipse-che/che-server
9 participants
@nickboldt @l0rd @ibuziuk @mkuznyetsov @vinokurig @devstudio-release @che-bot @martinelli-francesco @SDawley