AdoptOpenJDK/openjdk-docker

CVE-2021-28831

karianna opened this issue ยท 5 comments

karianna commented

Recently it was reported to us that the following vulnerabilities are captured in the latest alpine open JDK image adoptopenjdk/openjdk8:jdk8u282-b08-alpine

+------------+------------------+----------+-------------------+---------------+---------------------------------------+

| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |

+------------+------------------+----------+-------------------+---------------+---------------------------------------+

| busybox | CVE-2021-28831 | HIGH | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation |

| | | | | | fault via malformed gzip data |

| | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 |

This seems to be fixed in the alpine release[1].
Would it be possible to release a new adoptopenjdk image with the updated alpine version with this vulnerability fixed?

[1] https://alpinelinux.org/posts/Alpine-3.10.8-3.11.10-3.12.6-released.html

sxa commented

@karianna Are you able to fix the markdown for that table?

chadlwilson commented

Since Adopt builds off floating 3.12 tags it should be pulled in on next image rebuild.

What is confusing (and what I came here to raise a ticket on) was that some tags have been updated, while multi-arch tags have not?

Updated: adoptopenjdk/openjdk11:x86_64-alpine-jre-11.0.10_9 (using Alpine 3.12.6)
Not Updated: adoptopenjdk/openjdk11:jre-11.0.10_9-alpine (still using Alpine 3.12.5)

These normally point to the same hashes, but I am not intricately familiar with the AdoptOpenJDK process - this is just inference on my side :-)

Looks like similar weirdness on JDK8 tags mentioned in this ticket.

$ docker run adoptopenjdk/openjdk8:x86_64-alpine-jre8u282-b08 cat /etc/alpine-release
3.12.6

$ docker run adoptopenjdk/openjdk8:jdk8u282-b08-alpine cat /etc/alpine-release
3.12.5

Temporary workaround seems to be to switch tags to the arch-specific one.

dinogun commented

Updated: adoptopenjdk/openjdk11:x86_64-alpine-jre-11.0.10_9 (using Alpine 3.12.6)
Not Updated: adoptopenjdk/openjdk11:jre-11.0.10_9-alpine (still using Alpine 3.12.5)

This should be fixed by #541

  • ๐Ÿ‘1
  • ๐Ÿš€1
chadlwilson commented

Thanks @dinogun - that makes sense. Looking forward to the next daily build after that PR is merged. That should resolve this ticket for whomever raised it by making the patched image available on the other tags/aliases.

dinogun commented

This is now fixed

$ docker run --rm -it adoptopenjdk/openjdk8:jdk8u282-b08-alpine apk info busybox
WARNING: Ignoring APKINDEX.2c4ac24e.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.40a3604f.tar.gz: No such file or directory
busybox-1.31.1-r20 description:
Size optimized toolbox of many common UNIX utilities

busybox-1.31.1-r20 webpage:
https://busybox.net/

busybox-1.31.1-r20 installed size:
962560
  • ๐ŸŽ‰1
  • ๐Ÿš€1