search

docker-library / openjdk

Docker Official Image packaging for EA builds of OpenJDK from Oracle
http://openjdk.java.net
MIT License
1.14k stars 471 forks source link

openjdk:17-oracle - Critical vulnerability reported by ECR #478

Closed mancuss closed 2 years ago

mancuss commented 2 years ago

Hello,

We are trying to use openjdk:17-oracle as a base for our containers. We use AWS ECR as a docker registry and we scan all new images.

We are getting ELSA-2021-9344 (https://linux.oracle.com/errata/ELSA-2021-9344.html) reported as a critical vulnerability and there doesn't seem to be a fix?

We've tried a number of different OpenJDK containers and they all have at least this vulnerability according to AWS ECR.

wglambert commented 2 years ago

https://github.com/docker-library/openjdk/issues/467#issuecomment-921928577

yosifkit commented 2 years ago

There are currently no package updates available in openjdk:17-oracle, so if the fix is published to Oracle Linux package repos then it is already installed. Otherwise, we have to wait until package updates are available.

$ docker run -it --rm openjdk:17-oracle bash
Unable to find image 'openjdk:17-oracle' locally
17-oracle: Pulling from library/openjdk
28587b6e6475: Pull complete 
b1655352c888: Pull complete 
1f9646f00e96: Pull complete 
Digest: sha256:a44066675b079785134b97a9a7dc152fa505308450e8154eea2b0de93a7d8881
Status: Downloaded newer image for openjdk:17-oracle
bash-4.4# microdnf update
Downloading metadata...
Downloading metadata...
Nothing to do.