search

nextgenhealthcare / connect-docker

Official Dockerfiles for Connect https://hub.docker.com/r/nextgenhealthcare/connect
Mozilla Public License 2.0
78 stars 51 forks source link

JDK CVE-2023-22036, CVE-2023-22041 and CVE-2023-22043 #32

Closed tbobrykozaki closed 1 year ago

tbobrykozaki commented 1 year ago

Describe the security issue Security Scan from. Tenable.IO is reporting these three CVE's for OpenJDK bundled within Mirth 4.3.0, https://github.com/advisories/GHSA-mw33-48wm-m4r2, https://github.com/advisories/GHSA-rgxf-494f-377c and https://github.com/advisories/GHSA-grjf-4ggg-f6cm.

Vulnerability Location This is the OpenJDK image used for Mirth

Environment (please complete the following information if it is applicable to the issue)

OS: Docker Java Distribution/Version OpenJDK 17.0.6 Connect Version 4.3.0 Suggested remediation Upgrade OpenJDK to 17.0.8 or greater

Additional context

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. (https://github.com/advisories/GHSA-mw33-48wm-m4r2)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (https://github.com/advisories/GHSA-rgxf-494f-377c)

Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. (https://github.com/advisories/GHSA-grjf-4ggg-f6cm)

Exploitability Information EXPLOIT AVAILABLE True EXPLOIT EASE Exploits are available

Risk Information RISK FACTOR Medium CVSS BASE SCORE 5.4 CVSS TEMPORAL SCORE 4.2 CVSS VECTOR AV:N/AC:H/Au:N/C:N/I:C/A:N CVSS TEMPORAL VECTOR E:POC/RL:OF/RC:C CVSS3 BASE SCORE 5.9 CVSS3 TEMPORAL SCORE 5.3 CVSS3 VECTOR AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS3 TEMPORAL VECTOR E:P/RL:O/RC:C IVAM SEVERITY I

Path : /var/lib/docker/overlay2/e6cd599ca96af456509de813299cf0dbaa6c57eafca4a31a5ffd7ac040260dc7/diff/opt/java/openjdk/ Installed version : 17.0.6 Fixed version : Upgrade to version 17.0.8 or greater

Path : /var/lib/docker/overlay2/29ece69f535e91d11e8e7abe1f783d8c937e7b1b6d29781f46ec8e72ddd3a453/merged/opt/java/openjdk/ Installed version : 17.0.6 Fixed version : Upgrade to version 17.0.8 or greater

is the output

tbobrykozaki commented 1 year ago

this was closed in the latest push of 4.4.0 container