Vulnerabilities found in neo4j docker images

[HeyImAllan]

Dear all, please take a look at the following. Do you recognise these issues and do you have any plans to fix these?

• Steps to reproduce. Scan the docker image for vulnerabilities.

• Expected behaviour n/a

• Actual behaviour

• Neo4j image tag being used neo4j_imageName: neo4j@sha256:13212bd512e2da172cda3806749c535570a88010c49ef646e987c77012797ac1 neo4j_imageTag: 4.4.5-enterprise

• The output of the docker version command n/a

• Operating system: (for example Windows 95/Ubuntu 16.04) n/a

The following (high/critical) vulnerabilities were found in the image. Can you please take a look? CVE-2021-38297: go (version 1.15.9) CVE-2022-23806: go PRISMA-2021-0081: org.apache.lucene_lucene-core (8.9.0) CVE-2022-24921: go CVE-2022-23773: go CVE-2022-23772: go CVE-2021-44716: go CVE-2021-41772: go CVE-2021-41771: go CVE-2021-39293: go CVE-2021-33198: go CVE-2021-33196: go CVE-2021-33194: go CVE-2021-29923: go CVE-2020-36518: com.fasterxml.jackson.core_jackson-databind ( 2.11.4, 2.13.0, 2.12.4, 2.13.1) CVE-2021-33195: go

[jennyowen]

Most of those are probably inherited from our base image, which we can do nothing about. Fixes to the openjdk base image do automatically get pulled into the Neo4j image as soon as they become available in docker.

Do a scan of openjdk:11-jdk-slim. If there are any CVEs that are in the neo4j image but not the openjdk one, you can raise that with our customer support and they will be able to give you more information about remediation and/or expected fixes than I can. https://support.neo4j.com/hc/en-us