search

jgraph / docker-drawio

Dockerized draw.io based on whichever is the most secure image at the time.
GNU General Public License v3.0
1.48k stars 359 forks source link

Possible security regression: Tomcat 9.0.72 in latest tag docker image #104

Closed clarjon1 closed 1 year ago

clarjon1 commented 1 year ago

heyo!

Latest docker image pulled thru offered docker-compose.yml has a tomcat 9.0.72 version installed instead of advertised 10.1

On a fresh VM that I just installed to test:

clarjon1@testvm ~/docker-test                                                                                                                                             [19:54:23]  
> $ systemctl start docker                                                                                                                                                                   
                                                                                                                                                                                             
clarjon1@testvm ~/docker-test                                                                                                                                             [19:54:29]  
> $ sudo docker-compose pull                                                                                                                                                                 
[+] Running 15/15
⠿ drawio Pulled                                                                                                                                                                       32.9s
  ⠿ b65bcf19d144 Pull complete                                                                                                                                                         6.5s
  ⠿ 9e3e3d5d30a2 Pull complete                                                                                                                                                         7.3s
  ⠿ b1afd9b3f07b Pull complete                                                                                                                                                         8.7s
  ⠿ 24c021f0294c Pull complete                                                                                                                                                         8.8s
  ⠿ 56c0466cd577 Pull complete                                                                                                                                                         8.9s
  ⠿ 62f08ce71bec Pull complete                                                                                                                                                         9.2s
  ⠿ d38409d4fe39 Pull complete                                                                                                                                                         9.3s
  ⠿ 69660b09776f Pull complete                                                                                                                                                         9.3s
  ⠿ c4586c62a4dc Pull complete                                                                                                                                                        19.8s
  ⠿ f0df85af0940 Pull complete                                                                                                                                                        22.0s
  ⠿ 5a8e4a6fcc26 Pull complete                                                                                                                                                        23.7s
  ⠿ 0097375c0187 Pull complete                                                                                                                                                        23.7s
  ⠿ 4f4fb700ef54 Pull complete                                                                                                                                                        23.8s
  ⠿ 3784376000f1 Pull complete                                                                                                                                                        26.5s
                                                                                                                                                                                             
clarjon1@testvm ~/docker-test                                                                                                                                             [19:55:03]  
> $ sudo docker-compose up -d                                                                                                                                                                
[+] Running 2/2
⠿ Network docker-test_default  Created                                                                                                                                                 0.0s
⠿ Container drawio             Started                                                                                                                                                 0.4s
                                                                                                                                                                                             
clarjon1@testvm ~/docker-test                                                                                                                                             [19:55:10]  
> $ docker ps                                                                                                                                                                                
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docke
r.sock: connect: permission denied
                                                                                                                                                                                             
clarjon1@testvm ~/docker-test                                                                                                                                             [19:55:12]  
> $ sudo docker ps                                                                                                                                                                           
CONTAINER ID   IMAGE           COMMAND                  CREATED         STATUS                            PORTS                                                 NAMES
ffdf45117319   jgraph/drawio   "/docker-entrypoint.…"   4 seconds ago   Up 3 seconds (health: starting)   8443/tcp, 0.0.0.0:8082->8080/tcp, :::8082->8080/tcp   drawio
                                                                                                                                                                                             
clarjon1@testvm ~/docker-test                                                                                                                                             [19:55:14]  
> $ sudo docker exec -it ffd /bin/sh                                                                                                                                                         
$ bin/version.sh
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /opt/java/openjdk
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:    
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/ja
va.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Server version: Apache Tomcat/9.0.72
Server built:   Feb 18 2023 09:25:13 UTC
Server number:  9.0.72.0
OS Name:        Linux
OS Version:     6.2.1-zen1-1-zen
Architecture:   amd64
JVM Version:    11.0.18+10
JVM Vendor:     Eclipse Adoptium

Contents of my docker-compose.yml:

#This compose file adds diagrams.net (ex draw.io) to your stack
version: '3.5'
services:
  drawio:
    image: jgraph/drawio
    container_name: drawio
    restart: unless-stopped
    ports:
      - 8082:8080
#      - 8443:8443
    environment:
      PUBLIC_DNS: domain
      ORGANISATION_UNIT: unit
      ORGANISATION: org
      CITY: city
      STATE: state
      COUNTRY_CODE: country
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://domain:8080 || exit 1"]
      interval: 1m30s
      timeout: 10s
      retries: 5
      start_period: 10s
davidjgraph commented 1 year ago

The docs are wrong, we've changed them. We do change the image base around depending on what snyk recommends to be the least vulnerable image at the time.