fabric icon indicating copy to clipboard operation
fabric copied to clipboard
verified publisher icon hyperledger

Please help to resolve vulnerabilities in fabric images

Open vasavi-spglobal opened this issue 3 years ago • 3 comments

Hi,

we are using Hyperledger fabric blockchain in one of our projects and our company's security team scanned the fabric images and reported below vulnerabilities. Below are the listed versions and vulnerabilities. Kindly provide us the clean images that doesn't have any vulnerabilities

fabric-orderer (v 2.4) alpine-3.14.3 CVE-2018-25032 CVE-2022-0778 ALPINE-13661 CVE-2022-28391 CVE-2022-0778 CVE-2022-28327 CVE-2022-24675 CVE-2022-23772 CVE-2022-23773 CVE-2022-24921 CVE-2022-23806

fabric-ca (v- 1.5.3) alpine-3.14.6 CVE-2020-29652 CVE-2022-24675 CVE-2022-28327

fabric-peer (v 2.4) alpine-3.14.3 CVE-2018-25032 CVE-2022-0778 CVE-2022-0778 ALPINE-13661 CVE-2022-28391 CVE-2021-21334 CVE-2022-28327 CVE-2022-24675 CVE-2022-23772 CVE-2022-23773 CVE-2022-24921 CVE-2022-23806

CouchDB (v 3.1) debian-buster CVE-2022-1664 CVE-2022-29155 CVE-2022-1292

vasavi-spglobal avatar Jun 07 '22 21:06 vasavi-spglobal

Dependencies will be updated in the upcoming open source releases for v2.2.x and v2.4.x. But note that the Fabric images on dockerhub are for development and trial purposes. For production environments you are encouraged to use a commercial offering that provides regular security patches and support.

denyeart avatar Jun 09 '22 12:06 denyeart

Hi Dave,

Thanks for the reply. Please guide me on where and how I can get commercial offering images

Thanks Vasavi

vasavi-spglobal avatar Jun 09 '22 12:06 vasavi-spglobal

Hardened images are available for licensing directly from IBM via PPA: https://cloud.ibm.com/docs/blockchain-sw?topic=blockchain-sw-blockchain-images

I'm not personally aware of other companies offering supported Fabric images. You could also simply build the images yourself.

lindluni avatar Jun 11 '22 03:06 lindluni