There are 4 vulnerabilities(3 high, 1 medium) in image openjdk:8u322-jdk

[Mango2020]

Image openjdk:8u322-jdk @sha256:677668e1de865f81f9c18afa6a627033759cc9668b20d8399e437458f5a1d362 scan vulnerability => found 4 vulnerabilities. Would you please help fix them asap? Thanks.

Details above :

1. High severity vulnerability found in gzip, xz-utils Description: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. Info: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-1271

2. High severity vulnerability found in zlib1g Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. Info: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-1271

3. High severity vulnerability found in subversion Description: Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. Info: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-24070

4. Medium severity vulnerability found in subversion Description: Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. Info: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-28544

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2022-1271 Can be updated

https://security-tracker.debian.org/tracker/CVE-2022-24070 Package is up to date

$ docker run --rm openjdk:8-jdk apt list --installed | grep -i subversion

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

subversion/now 1.14.1-3+deb11u1 amd64 [installed,local]

https://security-tracker.debian.org/tracker/CVE-2021-28544 Package is up to date, same as above

---

In the latest openjdk:8 image these are what can be updated

$ docker run -it --rm openjdk:8-jdk bash
root@63a8371167c0:/# apt update && apt list --upgradable
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [126 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8182 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2596 B]
Fetched 8510 kB in 1s (5812 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Listing... Done
gzip/stable-security 1.10-4+deb11u1 amd64 [upgradable from: 1.10-4]
liblzma5/stable-security 5.2.5-2.1~deb11u1 amd64 [upgradable from: 5.2.5-2]

You're not using the most up to date image, this is what can be updated in the image you're using:

$ docker run -it --rm openjdk@sha256:677668e1de865f81f9c18afa6a627033759cc9668b20d8399e437458f5a1d362 bash
root@559858fee05c:/# apt update && apt list --upgradable
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [126 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8182 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2596 B]
Fetched 8510 kB in 2s (5153 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
6 packages can be upgraded. Run 'apt list --upgradable' to see them.
Listing... Done
gzip/stable-security 1.10-4+deb11u1 amd64 [upgradable from: 1.10-4]
liblzma5/stable-security 5.2.5-2.1~deb11u1 amd64 [upgradable from: 5.2.5-2]
libsvn1/stable-security 1.14.1-3+deb11u1 amd64 [upgradable from: 1.14.1-3]
subversion/stable-security 1.14.1-3+deb11u1 amd64 [upgradable from: 1.14.1-3]
xz-utils/stable-security 5.2.5-2.1~deb11u1 amd64 [upgradable from: 5.2.5-2]
zlib1g/stable-security 1:1.2.11.dfsg-2+deb11u1 amd64 [upgradable from: 1:1.2.11.dfsg-2]

The package updates will be automatic when the Debian images are republished and we rebuild all dependent images:

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[yosifkit]

As luck would have it, a Debian base image update was merged yesterday (https://github.com/docker-library/official-images/pull/12257), so new rebuilds are slowly being processed (currently 200+ items in queue).

[Mango2020]

@wglambert @yosifkit Has the new image not been released yet? Thanks.

[yosifkit]

The Debian rebuilds should be complete and new images have been pushed: https://hub.docker.com/_/openjdk?tab=tags.