High severity Xray vulnerabilities in websphere-traditional:9.0.5.1-ubi

[aadfaught]

My team has been directed to fix all High severity security issues from a JFrog Xray scan before we deploy to our production Kubernetes clusters. We did a scan of the WebSphere image (ibmcom/websphere-traditional:9.0.5.1-ubi) we’re using, without any of our additions, and Xray found 10 high severity issues. Can we get assistance with resolving these?

We can provide additional information from the scan if you don’t have access to Xray.

Details on all the issues found (including the high priority issues) are attached.

Docker_websphere-ibmcom-websphere-traditional-9.0.5.1-ubi_Security_Export.xlsx

[jgarcows]

Some of these issues look to be addressed in 9.0.5.2 (targeted availability 4Q2019). In particular, any issues dealing with Apache Commons Collection library and Apache Commons Beanutils. Here are the relevant security bulletins:

https://www.ibm.com/support/pages/node/1107105 https://www.ibm.com/support/pages/node/1115085

[jgarcows]

The 9.0.5.2 image is now available, please rerun your scan and report back what issues remain.

[jwalcorn]

fyi, we just opened #218 on JFrog Xray scan issues on 9.0.5.3 (didn't know about this issue at the time)