[Security] Docker image use a Jetty version vulnerable to CVE-2017-7658

SeleniumHQ / docker-selenium

Provides a simple way to run Selenium Grid with Chrome, Firefox, and Edge using Docker, making it easier to perform browser automation

http://www.selenium.dev/docker-selenium/

Other

7.92k stars 2.51k forks source link

[Security] Docker image use a Jetty version vulnerable to CVE-2017-7658 #843

Closed Yivan closed 5 years ago

Yivan commented 5 years ago

Hello,

Docker image use a Jetty version vulnerable to CVE-2017-7658. Tested on: selenium/standalone-chrome-debug:3.14.0-helium

This is classified as critical one as it can lead to system penetration by using this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2017-7658

I think image should be updated to have a more recent version of Jetty which incorporate the fix.

Please find here a report by OpenVAS (Greenbone).:

selenium-cve

Thanks!

barancev commented 5 years ago

3.14.0 is not the latest version of the image, more recent ones should contain jetty 9.4.12.

Yivan commented 5 years ago

Thanks @barancev for you fast answer! Helium version is just one month ago and CVE is from June 2018, so i was thinking the last one was maybe always impacted. I will try 3.141.59-antimony, and report result here.

Yivan commented 5 years ago

@barancev Just verified, i can confirm that 3.141.59-antimony is patched and has now Jetty 9.4.12: https://github.com/SeleniumHQ/selenium/commit/a0a7d82db3367a7a4b2e24654e26c7b1f2dbd433

By the way, the header send no more the exact version, it send "Jetty 9.4.z-SNAPSHOT", it is better from security perspective (but best should be no header at all).

So all is ok, I close the issue.