search

corretto / corretto-docker

Dockerfiles for Amazon Corretto Official images.
https://hub.docker.com/_/amazoncorretto
MIT No Attribution
157 stars 66 forks source link

A potential security issue with jetty-io #109

Closed afreeland closed 2 years ago

afreeland commented 2 years ago

I am working with amazoncorretto:18-al2-jdk currently but was seeing the same issue on amazoncorretto:latest which I believe is Amazon Corretto 8. When running through a security scan seeing a high vulnerability on jetty-io

image

It looks like all images are using 9.4.44 

jar | org.eclipse.jetty_jetty-io |   | /jetty-io-9.4.44.v20210927.jar | 9.4.44 | 22

which falls under CVE-2022-2048 if its below version <9.4.47

Honestly, not familiar with jetty-io and not sure of the best way to update version...but also wanted to bring attention to it and see if it was worth addressing in the base images since it seems like it has been around for awhile. It's not a newly discovered security vulnerability, so I wasn't sure where exactly to put this.

Also, if there is an easy way to update this, would appreciate any pointers ;)

lutkerd commented 2 years ago

Thanks for bringing this up. The AmazonCorretto images do not contain jetty-io, version 9.0.3 is available from the AL2 yum repos, but not installed. If you are 9.4.44 you are likely installing it from another source and I recommend you determine how it is getting installed and update it there.

afreeland commented 2 years ago

@lutkerd interesting, looks like you are spot on! Was building an image for Apache Kafka and it looks like it leverages jetty on its side. Apologies for the false alarm and I appreciate the fast response =)

In particular, I found it declared here: https://github.com/apache/kafka/blob/3.2/gradle/dependencies.gradle#L73