Critical Security Vulnerabilities in Apache Zookeper image - version 3.7.0

31z4 / zookeeper-docker

Docker image packaging for Apache Zookeeper

MIT License

285 stars 243 forks source link

Critical Security Vulnerabilities in Apache Zookeper image - version 3.7.0 #129

Closed Debanjan05 closed 1 year ago

Debanjan05 commented 2 years ago

We have found this below list of CRITICAL Security vulnerabilties present in the official zookeper image -

Vulnerability ID Component Infected versions Fixed versions CVE-2021-33574 debian:bullseye:libc6:2.31-13+deb11u2 N/A N/A XRAY-179837 io.netty:netty-codec:4.1.59.Final < 4.1.66.Final 4.1.66.Final CVE-2022-23307 log4j:log4j:1.2.17 All Versions N/A CVE-2019-17571 log4j:log4j:1.2.17 ≤ 1.2.17 N/A CVE-2022-23305 log4j:log4j:1.2.17 1.1.0 ≤ Version ≤ 1.2.17 N/A CVE-2022-23219 debian:bullseye:libc6:2.31-13+deb11u2 N/A N/A CVE-2022-23218 debian:bullseye:libc6:2.31-13+deb11u2 N/A N/A

Can you please help us with the fix or update us on the release of security patches and also their respective timelines.

31z4 commented 1 year ago

Closing this because most of the issues should be fixed in newest 3.7.1-temurin tag. Specifically:

3.7.0 and 3.7.1 is no longer maintained because they were based on completely deprecated openjdk image.
libc is upgraded to 2.35-0ubuntu3.1 in 3.7.1-temurin.
log4j should have been fixed by the upstream in 3.7.1. See https://issues.apache.org/jira/browse/ZOOKEEPER-4452 and https://issues.apache.org/jira/browse/ZOOKEEPER-4455