Skip to content
This repository has been archived by the owner on Apr 15, 2024. It is now read-only.

ISSUE-2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image #228

Open
sijie opened this issue Jul 28, 2020 · 0 comments
Open

Comments

@sijie
Copy link
Member

sijie commented Jul 28, 2020

Original Issue: apache#2387


BUG REPORT
A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image.

Component Current Version CVE Severity Version to be upgraded to References
Apache log4j 1.2.17 CVE-2017-5645 CRITICAL 2.8.2 https://nvd.nist.gov/vuln/detail/CVE-2017-5645
Apache log4j 1.2.17 CVE-2019-17571 CRITICAL 2.8.2 https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://logging.apache.org/log4j/1.2/index.html
Java Platform Standard Edition (JRE) (J2RE) 8u102 CVE-2016-5556 CRITICAL 8u241
Java Platform Standard Edition (JRE) (J2RE) 8u102 CVE-2016-5568 CRITICAL 8u241
Java Platform Standard Edition (JRE) (J2RE) 8u102 CVE-2016-5582 CRITICAL 8u241
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server 9.4.5.v20170502 CVE-2017-7657 CRITICAL 9.4.11 https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server 9.4.5.v20170502 CVE-2017-7658 CRITICAL 9.4.11 https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server 9.4.5.v20170502 CVE-2018-12538 CRITICAL 9.4.11 https://www.eclipse.org/jetty/security-reports.html
Netty Project 3.10.1.Final CVE-2019-20444 CRITICAL 4.1.44.Final netty/netty#9866
https://github.com/netty/netty/milestone/218?closed=1
Netty Project 3.10.1.Final CVE-2019-20445 CRITICAL 4.1.44.Final netty/netty#9861
https://github.com/netty/netty/milestone/218?closed=1
OpenLDAP 2.4.44 CVE-2019-13565 HIGH 2.4.48 https://access.redhat.com/security/cve/CVE-2019-13565
https://bugzilla.redhat.com/show_bug.cgi?id=1730477
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Python programming language 2.7.5 CVE-2018-14647 HIGH 2.7.5-86.el7.x86_64 https://access.redhat.com/security/cve/CVE-2018-14647
https://access.redhat.com/errata/RHSA-2019:2030
Python programming language 2.7.5 CVE-2019-10160 CRITICAL 2.7.5-80.el7_6.x86_64 https://access.redhat.com/security/cve/CVE-2019-10160
https://access.redhat.com/errata/RHSA-2019:1587
Python programming language 2.7.5 CVE-2019-16056 HIGH 2.7.5-88.el7.x86_64 https://access.redhat.com/security/cve/CVE-2019-16056
https://access.redhat.com/errata/RHSA-2020:1131
Python programming language 2.7.5 CVE-2019-5010 HIGH 2.7.5-86.el7.x86_64 https://access.redhat.com/security/cve/CVE-2019-5010
https://access.redhat.com/errata/RHSA-2019:2030
Python programming language 2.7.5 CVE-2019-9948 CRITICAL 2.7.5-86.el7  https://access.redhat.com/security/cve/CVE-2019-9948
https://access.redhat.com/errata/RHSA-2019:2030
avahi 0.6.31 CVE-2017-6519 CRITICAL 0.6.31-20.el7.x86_64 https://access.redhat.com/security/cve/CVE-2017-6519
https://access.redhat.com/errata/RHSA-2020:1176
elfutils 0.176 CVE-2018-16402 CRITICAL 0.176-2.el7 https://access.redhat.com/security/cve/CVE-2018-16402
https://access.redhat.com/errata/RHSA-2019:2197
jackson-databind 2.9.7 CVE-2018-19360 CRITICAL 2.9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-19360
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind 2.9.7 CVE-2018-19361 CRITICAL 2.9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-19361
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind 2.9.7 CVE-2018-19362 CRITICAL 2.9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-19362
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind 2.9.7 CVE-2019-14379 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14379
FasterXML/jackson-databind#2387
jackson-databind 2.9.7 CVE-2019-14540 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14540
FasterXML/jackson-databind#2410
jackson-databind 2.9.7 CVE-2019-14892 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14892
FasterXML/jackson-databind#2462
jackson-databind 2.9.7 CVE-2019-14893 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14893
FasterXML/jackson-databind#2469
jackson-databind 2.9.7 CVE-2019-16335 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16942
FasterXML/jackson-databind#2478
jackson-databind 2.9.7 CVE-2019-16942 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16942
FasterXML/jackson-databind#2478
jackson-databind 2.9.7 CVE-2019-16943 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16943
FasterXML/jackson-databind#2478
jackson-databind 2.9.7 CVE-2019-17267 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-17267
FasterXML/jackson-databind#2460
jackson-databind 2.9.7 CVE-2019-17531 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-17531
FasterXML/jackson-databind#2498
jackson-databind 2.9.7 CVE-2019-20330 CRITICAL 2.9.10.2 https://nvd.nist.gov/vuln/detail/CVE-2019-20330
FasterXML/jackson-databind#2526
jackson-databind 2.9.7 CVE-2020-8840 CRITICAL 2.9.10.3 https://nvd.nist.gov/vuln/detail/CVE-2020-8840
FasterXML/jackson-databind#2620
systemd 219 CVE-2018-15686 CRITICAL 219-67.el7_7.4 https://access.redhat.com/security/cve/CVE-2018-15686
https://access.redhat.com/errata/RHSA-2019:2091
systemd-libs 219 CVE-2018-15686 CRITICAL 219-67.el7_7.4 https://access.redhat.com/security/cve/CVE-2018-15686
https://access.redhat.com/errata/RHSA-2019:2091

Steps to reproduce the behavior:

  1. Scan the apache/bookkeeper:4.9.2 with the help of a security scanner.

Expected behavior
The scanner should not report any vulnerabilities, that are already fixed.

Screenshots
NA

Additional context
NA

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant