Jobeinabox relies on Ubuntu 20.04's openjdk-16-jdk package, which is vulnerable to multiple CVEs as described at https://openjdk.java.net/groups/vulnerability/advisories/2021-07-20 -CVE-2021-2388, CVE-2021-2369, and CVE-2021-2341. Ubuntu does not seem to be patching these CVEs, even though they are from July. Specifically the openjdk-16-jdk release utilized in jobeinabox does not appear in their security tracker for any of the referenced CVEs. (See https://ubuntu.com/security/cve-2021-2388, https://ubuntu.com/security/cve-2021-2369, and https://ubuntu.com/security/cve-2021-2341 .) These Medium priority security issues seem to be never addressed in a timely manner. These CVEs do show up in security scanning software suites quite frequently, and a freshly built container today contains these vulnerabilities.
I've made a pull request that addresses the issue by utilizing the Docker openjdk:16-jdk image as a layer instead of the built-in Ubuntu package. This is better maintained for security, and bumps the version to 16.0.2 which addresses these vulnerabilities. The Dockerfile now utilizes a multi-layer approach for building the image. See #10
I did basic testing of the system and it seems to be working correctly with this change in my instance, but please perform some additional testing before merging this.
Jobeinabox relies on Ubuntu 20.04's openjdk-16-jdk package, which is vulnerable to multiple CVEs as described at https://openjdk.java.net/groups/vulnerability/advisories/2021-07-20 -CVE-2021-2388, CVE-2021-2369, and CVE-2021-2341. Ubuntu does not seem to be patching these CVEs, even though they are from July. Specifically the openjdk-16-jdk release utilized in jobeinabox does not appear in their security tracker for any of the referenced CVEs. (See https://ubuntu.com/security/cve-2021-2388, https://ubuntu.com/security/cve-2021-2369, and https://ubuntu.com/security/cve-2021-2341 .) These Medium priority security issues seem to be never addressed in a timely manner. These CVEs do show up in security scanning software suites quite frequently, and a freshly built container today contains these vulnerabilities.
I've made a pull request that addresses the issue by utilizing the Docker openjdk:16-jdk image as a layer instead of the built-in Ubuntu package. This is better maintained for security, and bumps the version to 16.0.2 which addresses these vulnerabilities. The Dockerfile now utilizes a multi-layer approach for building the image. See #10
I did basic testing of the system and it seems to be working correctly with this change in my instance, but please perform some additional testing before merging this.