containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon adoptium

[Security]: Trivy reports several low-level CVE's from the base linux images

Open talios opened this issue 3 years ago • 4 comments

Please add the exact image (with tag) that you are using

eclipse-temurin:8u345-b01-jre

Please add the version of Docker you are running

Docker Desktop 4.12.0 (85629)

What happened?

I'm using the Trivy vulnerability scanner extension to check my images and I notice it reports several low-prio CVEs for things such as curl, login, tar, ncurses, passwd.

curl is reported as coming from 7.81.0-1ubuntu1.3 and fixed in 7.81.0-1ubuntu1.4, whilst the others don't list any fixes available.

image

I understand curl is being removed in an upcoming release, but I'm curious as to the others, and if they're documented anywhere?

Relevant log output

No response

talios avatar Sep 08 '22 06:09 talios

This is related to https://github.com/adoptium/containers/issues/267. Since those Low CVEs are in the base image we consume there will be some framework we'll adhere to in terms of container health. As to what it will be remains to be seen.

jerboaa avatar Sep 08 '22 08:09 jerboaa

now it also has critical vulnerabilities for CVE-2022-40674.

kiranpatel11 avatar Sep 30 '22 08:09 kiranpatel11

Vote up to fix CVE-2022-40674

cyberveseli avatar Oct 10 '22 12:10 cyberveseli

These are being respun by DockerHub folks at DockerHub.

karianna avatar Oct 10 '22 16:10 karianna

Upvote for this issue: Temurin images based on Ubuntu Jammy are now also vulnerable to Openssl 3.0 high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786 💣 (USN-5710-1)

S0obi avatar Nov 01 '22 19:11 S0obi

To follow up, I just noticed that latest images (8, 11 and 17) have been rebuilt yesterday and are no more vulnerable to vulnerabilities mentioned here (including Openssl ones). I think we can close this issue 🎉 .

S0obi avatar Nov 03 '22 20:11 S0obi