After detailed investigation for Docker container vulnerabilities reported under https://github.com/microsoft/openjdk-docker/issues/113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.
The challenge is security scanners compare package version from NVD:
Known Affected Software Configurations
Up to (excluding)
1.21.3
to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:
Version : 1.19.4
Release : 3.cm2
Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.
We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.
kropiwnickij
commented
3 days ago
Dear Team,
After detailed investigation for Docker container vulnerabilities reported under https://github.com/microsoft/openjdk-docker/issues/113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.
When we look at discovered CVE https://nvd.nist.gov/vuln/detail/cve-2024-37371 - NVD provides solution with higher version as mentioned "In MIT Kerberos 5 (aka krb5) before 1.21.3".
When we check details this specific CVE have been already resolved in patches mentioned by @d3r3kk in https://github.com/microsoft/openjdk-docker/issues/113#issuecomment-2471534617.
The challenge is security scanners compare package version from NVD:
Known Affected Software Configurations Up to (excluding) 1.21.3
to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:
Version : 1.19.4 Release : 3.cm2
Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.
We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.
Regards Jan