search

docker-library / openjdk

Docker Official Image packaging for EA builds of OpenJDK from Oracle
http://openjdk.java.net
MIT License
1.14k stars 471 forks source link

OpenSSL vulnerability for openjdk:11 and openjdk:8 #498

Closed marcchanwork closed 2 years ago

marcchanwork commented 2 years ago

Hello openjdk team, my local scan found critical vulnerability for openssl: CVE-2022-1292 For more details: https://security-tracker.debian.org/tracker/CVE-2022-1292 (severity is high here) https://github.com/advisories/GHSA-qjmp-vmxc-7p8r

I would like to ask if there are any comparable base images I can use for Java 11 and Java 8. Thank you very much.

etiennepeiniau commented 2 years ago

Hello,

We have the same problem on the image : openjdk:17.0.2-jdk-slim since the problem is linked to opennssl.

You can find a scan of the vulnerability here

I suppose this depends on the base image used.

Thank you in advance.

yosifkit commented 2 years ago

From the Debian security tracker page (https://security-tracker.debian.org/tracker/CVE-2022-1292), you can see that there is no package update available on bullseye. So there is nothing that can be done.

It's centered specifically around the c_rehash script which is considered obsolete and superseded by the CLI tool https://www.openssl.org/docs/manmaster/man1/c_rehash.html

Similar to https://github.com/docker-library/python/issues/728#issuecomment-1125195703

tianon commented 2 years ago

See also #495 -- openjdk:17* will not be updated any further (see that issue/PR for details).

marcchanwork commented 2 years ago

Alright, thanks for the info!