Address CVE-2022-40897
Opened this issue · 1 comments
Hello, the latest version of the Liberty container, 23.0.0.6, contains the unaddressed High vulnerability CVE-2022-40897.
This is marked as a High vulnerability in various scanners. This prevents us from using/deploying this image within a given corporate environment. Is there an ETA for when this CVE will be addressed?
The full results of this image scan are included in the attached file below.
23.0.0.6-kernel-java17-openj9-ubiSCAN.txt
@rtclauss The scanner is incorrectly flagging the Liberty image against this CVE.
The OS of the 23.0.0.6-kernel-java17-openj9-ubi
image is Red Hat Enterprise Linux 8 (RHEL/UBI) and https://dso.docker.com/cve/CVE-2022-40897 lists the following entry for RHEL 8:
Package Name Package Type OS Name OS Version Vulnerable Range Fixed By
redhatlinux:python-setuptools rpm redhatlinux 8 <39.2.0-6.el8_7.1 39.2.0-6.el8_7.1
The issue is fixed in 39.2.0-6.el8_7.1 or above.
Validated that 23.0.0.6-kernel-java17-openj9-ubi
image includes a fixed version by running the following command in the image:
rpm -qa | grep python-setuptools
platform-python-setuptools-39.2.0-7.el8.noarch
39.2.0-7.el8
is higher than the fixed version 39.2.0-6.el8_7.1
The Red Hat bulletin also confirms that the fix was added to RHEL 8 (UBI) in February 21, 2023, hence it makes sense that the fix is in the Liberty image:
CVE: https://access.redhat.com/security/cve/cve-2022-40897
Fixed by: https://access.redhat.com/errata/RHSA-2023:0835