Alpine AdoptOpenJDK Dockerfile builds are reporting vulnerabilty to CVE-2019-15847

[tommyreilly]

When I build any of the AdoptOpenJDK Dockerfiles for alpine, for example:

https://github.com/AdoptOpenJDK/openjdk-docker/blob/master/11/jdk/alpine/Dockerfile.hotspot.releases.full

and then run a scanning tool (Twistlock) to see latest vulnerabilities on the built image, there is a high vulnerability identified as follows:

CVE-2019-15847 (https://nvd.nist.gov/vuln/detail/CVE-2019-15847) ID: 46 Package Name: gcc Package Version: 8.3.0-r0 Severity: High Score 7.5 Description: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.

Is it possible to remediate this by using a later version of gcc (> 10) in the alpine pkg-glibc so that the AdoptOoenJdk Dockerfile picks up a later/latest version where this vulnerability will hopefully have been addressed

I initially opened this request in the AdoptOoenJdk github repo Uber issue #230 (see https://github.com/AdoptOpenJDK/openjdk-docker/issues/230)

Thanks

Tommy

[sgerrand]

👋 Thanks for raising this issue. This package contains glibc, not gcc, so is unaffected by the CVE you referenced.

[sgerrand]

Hmm, I take that back. After running apk add --no-cache glibc-2.30-r0.apk glibc-bin-2.30-r0.apk, the old version of libgcc still exists.

apk info libgcc
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.d8b2a6f4.tar.gz: No such file or directory
libgcc-8.3.0-r0 description:
GNU C compiler runtime libraries

libgcc-8.3.0-r0 webpage:
http://gcc.gnu.org

libgcc-8.3.0-r0 installed size:
90112

[sgerrand]

📝 The version of libgcc is still not at 10 yet in Alpine Linux. The map of OS release to package version is as follows:

• latest version of Alpine (3.10) contains libgcc v8.3.0
• next version of Alpine (edge) contains libgcc v9.2.0

[treilly1969]

Thank you @sgerrand for following up on this. Appreciated.

[sgerrand]

Apologies for not responding earlier. This was resolved by the release of Alpine Linux 3.11.

$ docker run --rm -it alpine:3.11
/ # wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
/ # wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.31-r0/glibc-2.31-r0.apk
Connecting to github.com (140.82.118.3:443)
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (52.217.14.76:443)
saving to 'glibc-2.31-r0.apk'
glibc-2.31-r0.apk    100% |***************************************************************************************| 4308k  0:00:00 ETA
'glibc-2.31-r0.apk' saved
/ # apk add glibc-2.31-r0.apk 
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/1) Installing glibc (2.31-r0)
OK: 14 MiB in 15 packages
/ # apk info libgcc
libgcc-9.2.0-r4 description:
GNU C compiler runtime libraries

libgcc-9.2.0-r4 webpage:
http://gcc.gnu.org

libgcc-9.2.0-r4 installed size:
90112

[AceHack]

This has not been resolved, still happens on latest alpine 2.12

package_version	cve	severity	cvss	files
9.3.0-r2	CVE-2019-15847	high	7.5	/usr/lib/libgcc_s.so.1

[AceHack]

If this is not the right place to post, please tell me where.

[sgerrand]

Hi @AceHack. The file you referenced is in the gcc package, which is separate from this one and is hosted (and maintained) by Alpine Linux itself.

[AceHack]

Do you know where I can file issues on that. Thanks.

[sgerrand]

Cross-posting my reply to #139:

I'm afraid that the latest version of the libgcc package available in Alpine Linux is 9.3.0-r2. I can't provide an updated version to fix your issue until it's updated.

Would you please file this bug report with the maintainers of that package via https://gitlab.alpinelinux.org/alpine/aports/-/issues.