openjdk:latest image scan finds ELSA-2021-9344 on AWS

docker-library / openjdk

Docker Official Image packaging for EA builds of OpenJDK from Oracle

MIT License

1.14k stars 471 forks source link

✗ aws ecr describe-image-scan-findings --repository-name "openjdk" --image-id imageTag="17" --region eu-central-1 --profile xyz { "imageScanFindings": { "findings": [ { "name": "ELSA-2021-9344", "description": " ", "uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html", "severity": "HIGH", "attributes": [ { "key": "package_version", "value": "2.28-151.0.1.el8" }, { "key": "package_name", "value": "glibc" } ] }, { "name": "ELSA-2021-9344", "description": " ", "uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html", "severity": "HIGH", "attributes": [ { "key": "package_version", "value": "2.28-151.0.1.el8" }, { "key": "package_name", "value": "glibc-common" } ] }, { "name": "ELSA-2021-9344", "description": " ", "uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html", "severity": "HIGH", "attributes": [ { "key": "package_version", "value": "2.28-151.0.1.el8" }, { "key": "package_name", "value": "glibc-minimal-langpack" } ] } ], "imageScanCompletedAt": 1631736265.0, "vulnerabilitySourceUpdatedAt": 1631722310.0, "findingSeverityCounts": { "HIGH": 3 } }, "registryId": "012345678901", "repositoryName": "openjdk", "imageId": { "imageDigest": "sha256:9f507a555448a8bdaa3c85f63c4e693e13e74a93a034803af7498f1d992dd3f9", "imageTag": "17" }, "imageScanStatus": { "status": "COMPLETE", "description": "The scan was completed successfully." } }

https://linux.oracle.com/errata/ELSA-2021-9344.html lists the related CVE's for glibc

https://security-tracker.debian.org/tracker/CVE-2016-10228 Fixed in 2.31-13 for Bullseye

https://security-tracker.debian.org/tracker/CVE-2019-9169 Fixed in both Debian variants

https://security-tracker.debian.org/tracker/CVE-2020-27618 Fixed in 2.31-13 for Bullseye

https://security-tracker.debian.org/tracker/CVE-2021-3326 Fixed in 2.31-13 for Bullseye

https://security-tracker.debian.org/tracker/CVE-2019-25013 Fixed in 2.31-13 for Bullseye

$ docker run -it --rm openjdk:17-bullseye bash
root@cd79b8d98f93:/# ldd --version
ldd (Debian GLIBC 2.31-13) 2.31

$ docker run -it --rm openjdk:16-bullseye bash
root@3230c643895e:/# ldd --version
ldd (Debian GLIBC 2.31-13) 2.31

There's quite a few variants to pick from so you'll want to check with the respective OS that each is using to see what you'd prefer

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

docker-library / openjdk

openjdk:latest image scan finds ELSA-2021-9344 on AWS #467