Need to address CWE-79 in the latest docker image

[juliankamil]

The latest official Docker image with the tag 20.0.0.8-full-java8-ibmjava ships with a version of IBM Java SDK with JAX-RS API implementation that is reported by HCL AppScan as affected by vulnerabilities in CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

The scan indicates a number of calls to the method javax.servlet.jsp.JspWriter.print(String):void in defaultHtmlEntry_jsp which is reported as vulnerable to a Cross Site Scripting exploit as described in CWE-79.

Is there a plan to update the official images to ship with a remediated version of IBM JDK and address this issue? Thanks.

[arthurdm]

hey @juliankamil - sorry for the delay.

With every release we pickup the latest available IBM JDK versions. Have you tried the 20.0.0.9 WL image?

[arthurdm]

@juliankamil - which CVEs from this CWE were you particularly interested in? That will help us track down the fixes.

[juliankamil]

hey @juliankamil - sorry for the delay.

With every release we pickup the latest available IBM JDK versions. Have you tried the 20.0.0.9 WL image?

No worries, thanks @arthurdm...

We haven't, but will try 20.0.0.9 to see if that remediates the issues and will let you know the results.

@juliankamil - which CVEs from this CWE were you particularly interested in? That will help us track down the fixes.

On this, I will check with the development team and get back to you. Generally speaking though, we are not calling the method reported as vulnerable directly; we are only using the Java SDK with the library that happens to be using the method. So we'll need to do some tracking down to see which CVEs are applicable in this case.

[Neelavathi-k]

Hi @juliankamil

Actually i am facing the same above mentioned issue (javax.servlet.jsp.JspWriter.print(String):void) in spring mvc. Will u plz help me on that we are not using docker we are using spring mvc

Thanks in Advance 😃