fix(security): vulnerabilities found in corda-4-7-all-in-one - Githubissues

hyperledger / cacti

Hyperledger Cacti is a new approach to the blockchain interoperability problem

https://wiki.hyperledger.org/display/cactus

Apache License 2.0

327 stars 275 forks source link

fix(security): vulnerabilities found in corda-4-7-all-in-one #2063

Open zondervancalvez opened 2 years ago

zondervancalvez commented 2 years ago

List of vulnerabilities found in corda-4-7-all-in-one image during Azure Container scan. <html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

VULNERABILITY ID | PACKAGE NAME | SEVERITY -- | -- | -- CVE-2021-36159 | apk-tools | CRITICAL CVE-2021-30139 | apk-tools | HIGH CVE-2022-28391 | busybox | CRITICAL CVE-2021-28831 | busybox | HIGH CVE-2021-42378 | busybox | HIGH CVE-2021-42379 | busybox | HIGH CVE-2021-42380 | busybox | HIGH CVE-2021-42381 | busybox | HIGH CVE-2021-42382 | busybox | HIGH CVE-2021-42383 | busybox | HIGH CVE-2021-42384 | busybox | HIGH CVE-2021-42385 | busybox | HIGH CVE-2021-42386 | busybox | HIGH CVE-2021-36222 | krb5-libs | HIGH CVE-2021-39537 | ncurses-libs | HIGH CVE-2021-39537 | ncurses-terminfo-base | HIGH CVE-2021-28041 | openssh-client | HIGH CVE-2021-41617 | openssh-client | HIGH CVE-2021-28041 | openssh-keygen | HIGH CVE-2021-41617 | openssh-keygen | HIGH CVE-2021-3711 | openssl | CRITICAL CVE-2022-22970 | org.springframework:spring-core | HIGH CVE-2022-22965 | org.springframework:spring-webmvc | CRITICAL CVE-2020-5398 | org.springframework:spring-webmvc | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH

petermetz commented 2 years ago

P4 because the Corda AIO image is not meant to be in production.