two vulnerabilities reported for OpenSSL with severity high( CVE-2021-3449 and CVE-2021-3450 ) in base image openjdk:8

[13632650927]

there are two vulnerabilities reported for OpenSSL with severity high. The vulnerability has been fixed with version 1.1.1k of OpenSSL. so the base image openjdk:8 could be upgrade

[yosifkit]

• https://security-tracker.debian.org/tracker/CVE-2021-3449 fixed in Buster, version 1.1.1d-0+deb10u6
• https://security-tracker.debian.org/tracker/CVE-2021-3450 "fixed" in Buster, version 1.1.1d-0+deb10u6: "openssl \<not-affected> (Vulnerable code introduced in 1.1.1h)"

The image already has the newest version of openssl available in Debian Buster and is the version that is not affected by either CVE.

$ docker pull openjdk:8
8: Pulling from library/openjdk
8bf9c589d5f9: Already exists
4c70e46d8b5f: Already exists
ea848ad42f0d: Already exists
48fe137f8d26: Already exists
c72106bf683d: Pull complete
2ad2590571cf: Pull complete
7d8c373bcdc8: Pull complete
Digest: sha256:5e0230d1dd6bcd153ad11bd323d2b5c6976c70b1f3c8f898e3674f480400f939
Status: Downloaded newer image for openjdk:8
docker.io/library/openjdk:8
$ docker run -it --rm openjdk:8 bash
root@037b64416483:/# dpkg -l | grep ssl
ii  libssl1.1:amd64            1.1.1d-0+deb10u6            amd64        Secure Sockets Layer toolkit - shared libraries
ii  libzstd1:amd64             1.3.8+dfsg-3+deb10u2        amd64        fast lossless compression algorithm
ii  openssl                    1.1.1d-0+deb10u6            amd64        Secure Sockets Layer toolkit - cryptographic utility

See also https://github.com/docker-library/faq/tree/0fd4aeb047fc37ed37bd9991cae479140450ae65#why-does-my-security-scanner-show-that-an-image-has-cves

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2021-3449 and https://security-tracker.debian.org/tracker/CVE-2021-3450 are both fixed in Buster with OpenSSL 1.1.1d-0+deb10u6

Which is the version the image is currently at

$ docker run -it --rm openjdk:8 bash
Unable to find image 'openjdk:8' locally
8: Pulling from library/openjdk
8bf9c589d5f9: Pull complete 
4c70e46d8b5f: Pull complete 
ea848ad42f0d: Pull complete 
48fe137f8d26: Pull complete 
c72106bf683d: Pull complete 
2ad2590571cf: Pull complete 
7d8c373bcdc8: Pull complete 
Digest: sha256:5e0230d1dd6bcd153ad11bd323d2b5c6976c70b1f3c8f898e3674f480400f939
Status: Downloaded newer image for openjdk:8

root@6e0f6a51d478:/# apt update && apt list --upgradeable
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [269 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [9504 B]
Fetched 8424 kB in 2s (4130 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
6 packages can be upgraded. Run 'apt list --upgradable' to see them.
Listing... Done
base-files/stable 10.3+deb10u9 amd64 [upgradable from: 10.3+deb10u8]
debian-archive-keyring/stable 2019.1+deb10u1 all [upgradable from: 2019.1]
iputils-ping/stable 3:20180629-2+deb10u2 amd64 [upgradable from: 3:20180629-2+deb10u1]
libbsd0/stable 0.9.1-2+deb10u1 amd64 [upgradable from: 0.9.1-2]
libsystemd0/stable 241-7~deb10u7 amd64 [upgradable from: 241-7~deb10u6]
libudev1/stable 241-7~deb10u7 amd64 [upgradable from: 241-7~deb10u6]

root@6e0f6a51d478:/# apt list openssl
Listing... Done
openssl/stable,now 1.1.1d-0+deb10u6 amd64 [installed,automatic]

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).