VULNERABILITY - RHSA-2021:4374 CVSS Score v3: 9.1 Docker Image - Graal 21.3.0

[debu999]

Getting vulnerability - Need fix. Scan is done via AquaSec for the docker image. RHSA-2021:4374 RHSA-2021:4358 RHSA-2021:4464 RHSA-2021:4595 RHSA-2021:4587 RHSA-2021:4382 RHSA-2021:4059 RHSA-2021:4409 RHSA-2021:4373 RHSA-2021:4424 RHSA-2021:4060 RHSA-2021:4451 RHSA-2021:4451 RHSA-2021:4364 RHSA-2021:4387 RHSA-2021:4386 RHSA-2021:4385 RHSA-2021:4511 RHSA-2021:4489 RHSA-2021:4408 RHSA-2021:4513 Not allowed to procure if there are vulnerabilities in the image. Can this be fixed in new builds of graal VM

[rodrigar-mx]

Hi @debu999. Thanks for sharing this. Could you please i) share which graalvm version are you evaluating, ii) steps to generate this report (if possible) iii) and elaborate more on this type vulnerability scan.

[debu999]

@rodrigar-mx Thanks for reaching out. Steps: We are trying to get the image for version 21.3.0 We use aquasec to scan the images. https://www.aquasec.com/

[debu999]

most of them are for the red-hat linux version. All the issues are now having patches, mostly a upgraded redhat linux will solve all the vulnerabilities.

[debu999]

More details

https://access.redhat.com/errata/RHSA-2021:4374 https://access.redhat.com/errata/RHSA-2021:4358 https://access.redhat.com/errata/RHSA-2021:4464 https://access.redhat.com/errata/RHSA-2021:4595 https://access.redhat.com/errata/RHSA-2021:4587 https://access.redhat.com/errata/RHSA-2021:4382 https://access.redhat.com/errata/RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4409 https://access.redhat.com/errata/RHSA-2021:4373 https://access.redhat.com/errata/RHSA-2021:4424 https://access.redhat.com/errata/RHSA-2021:4060 https://access.redhat.com/errata/RHSA-2021:4451 https://access.redhat.com/errata/RHSA-2021:4451 https://access.redhat.com/errata/RHSA-2021:4364 https://access.redhat.com/errata/RHSA-2021:4387 https://access.redhat.com/errata/RHSA-2021:4386 https://access.redhat.com/errata/RHSA-2021:4385 https://access.redhat.com/errata/RHSA-2021:4511 https://access.redhat.com/errata/RHSA-2021:4489 https://access.redhat.com/errata/RHSA-2021:4408 https://access.redhat.com/errata/RHSA-2021:4513

[rodrigar-mx]

How are you building building/getting the image for graalvm 21.3.0?

[debu999]

docker pull ghcr.io/graalvm/graalvm-ce:21.3.0 Once the image is pulled to staging platfomr, AQUASEC scan the image and details are publish if no vulnerabilty it uploads to private container registry else throw error. The one is have listed above are detected during the scan of the image.

[rodrigar-mx]

Thanks @debu999. I have reported this issue internally. An answer will be provided accordingly.

[dougxc]

What files in the GraalVM image are these reports related to?

[debu999]

More details : Install Aquasec Trivy: https://aquasecurity.github.io/trivy/v0.18.3/installation/ Download the image: docker pull ghcr.io/graalvm/graalvm-ce:latest Run the Scan: trivy image ghcr.io/graalvm/graalvm-ce:latest Attaching the report for reference.

ghcr.io/graalvm/graalvm-ce:latest (oracle 8.4)

Total: 141 (UNKNOWN: 0, LOW: 18, MEDIUM: 73, HIGH: 43, CRITICAL: 7)

Refer to the attachment for details.

Java (jar)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

graalvm-ce-trivy-scan.txt

Vulnerable Library:

[debu999]

Release	General Availability Date	redhat-release Errata Date*	Kernel Version
RHEL 8.5	2021-11-09	2021-11-09 RHSA-2021:4356	4.18.0-348

I believe moving to the latest RHEL 8.5 will definitely fix most of the issues . Current image is built with RHEL 8.4 which have the vulnerabilities.

[dougxc]

Tracked internally by GR-35944.

[debu999]

Looking forward to it...

[debu999]

Hi Team any thing done in upgrading to latest RHEL version?

[debu999]

Hi Team, Can we expect a new version of Graal with new Rhel Base immage???

[debu999]

Any update on this

[rodrigar-mx]

HI @debu999. Still is work in progress. We will notify you as soon as there is any update.

[debu999]

Graal new version have the fix we can close it now