docker-images
docker-images copied to clipboard
oracle
Vulnerabilities found in the Oracle Database 21c (21.3.0) Express Edition
Recently I built an Oracle Database 21c (21.3.0) Express Edition container image, and got 77 vulnerability findings, including those related to org.apache.logging.log4j_log4j-core 2.13.3, with the corresponding vulnerabilities of CVE-2021-44228, CVE-2021-44832, CVE-2021-45046 and CVE-2021-45105, respectively. I used the build argument -o '--build-arg SLIMMING=false' while building the container image. I am particularly interested in having the log4j specific vulnerabilities resolved to use the image. Any suggestion/pointer for how to resolve the vulnerabilities (the log4j specific ones in particular) with the Oracle Database 21c (21.3.0) Express Edition?
Just to add a bit more specifics - The following is the command I used to create the Oracle container image:
./buildContainerImage.sh -v 21.3.0 -t oracle:21.3.0-xe -x -o '--build-arg SLIMMING=false'
From the scanning output, the log4j related vulnerabilities appear to point to ./opt/oracle/product/21c/dbhomeXE/md/jlib/ndmserver.ear (and ./opt/oracle/product/21c/dbhomeXE/md/jlib/ndmserver.ear.zip as well) in the rpm file.
Hi Abhishek and team, Any suggestion or update to address the Log4J specific vulnerabilities as mentioned above would be highly appreciated.
There is no patch for XE. These files have to be manually deleted. These are not used by XE
The Dockerfile for XE may be edited to remove these files
There is no patch for XE. These files have to be manually deleted. These are not used by XE
The Dockerfile for XE may be edited to remove these files
And for EE ? Can it be deleted for EE ?
For EE, you may build a patched image by downloading the latest RU and using the patching extension
https://github.com/oracle/docker-images/tree/main/OracleDatabase/SingleInstance/extensions/patching
The latest RU will remove all such files.
Hi Yunus,
Thank you very much for such a quick response. I have used 21.3 Oracle binaries and trying to find RU for 21.3 but not able to do so. if you know the RU for 21.3 or even for 19.3 please let me know. I have tried applying 21.5,21.6 but those also didnt resolve these CVEs
Check this page for 19c
https://support.oracle.com/knowledge/Oracle%20Cloud/555_1.html
There is no patch for XE. These files have to be manually deleted. These are not used by XE
The Dockerfile for XE may be edited to remove these files
Hi Yunus, Can you please elaborate a bit more specifically how to remove these files by editing Dockerfile.xe and rebuild the 21.3 XE image?
There is no patch for XE. These files have to be manually deleted. These are not used by XE The Dockerfile for XE may be edited to remove these files
Hi Yunus, Can you please elaborate a bit more specifically how to remove these files by editing Dockerfile.xe and rebuild the 21.3 XE image?
You can edit the RUN command in the Dockerfile.xe to remove these files manually. Something like:
RUN ... && \
rm -f <file-locations>
Hi Yunus,
Thank you very much for such a quick response. I have used 21.3 Oracle binaries and trying to find RU for 21.3 but not able to do so. if you know the RU for 21.3 or even for 19.3 please let me know. I have tried applying 21.5,21.6 but those also didnt resolve these CVEs
Please refer this link: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html