CVE-2023-0286

[SnirX]

Hi, There is a CVE in high severity regarding openssl in latest version of Semeru JVM & Maven. As you can see: https://hub.docker.com/layers/library/maven/3.9.0-ibm-semeru-17-focal/images/sha256-b201ce9889cbf029c7a6c91aac4e66c07aafdf8c2c1ab7547b073b53e7055cbe?context=explore

https://hub.docker.com/layers/library/ibm-semeru-runtimes/open-17.0.6_10-jre-focal/images/sha256-5841369c2142589c107664c3306a909124cff290fcfdeb29234ea50690cb4c9c?context=explore

Can you please let me know what is the ETA to fix it? We use it in production workloads and need to fix it ASAP or move to alternatives Thank you very much

[AdamBrousseau]

@narkedi I think we need DockerHub to trigger rebuilds for all the vulnerable containers.

From my investigation, the openssl package is getting installed in the first line https://github.com/ibmruntimes/semeru-containers/blob/28755a5da3131a0eea644c130830f4cd7cd5d863/17/jdk/ubuntu/focal/Dockerfile.open.releases.full#L21

apt-get install -y --no-install-recommends tzdata curl ca-certificates fontconfig locales

Which installs openssl as a dependency. From what I can tell, our containers have openssl 1.1.1f-1ubuntu2.16 but the latest version is 1.1.1f-1ubuntu2.17. I'm not sure why we got 2.16 as it seems the 2.17 version should have been available when these were built. http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2.17/changelog

Mon, 06 Feb 2023

If I run the build by hand I get 2.17.

[narkedi]

@SnirX I think it was matter of time, seems the automatic rebuild at hub.docker.com has fixed the issue. Please confirm. I don't see the vulnerabilities being listed anymore.

[SnirX]

Hi @narkedi @AdamBrousseau, Seems it was resolved. Thank you for assisting, issue can be closed.