corretto/corretto-8-docker

Amazon Linux 2 Security Advisory: ALAS-2020-1406 stays unresolved

Denusdv opened this issue · 3 comments

Hello support team

I'm facing the following problem addressing the Amazon Linux 2 Security Advisory: ALAS-2020-1406.
I updated my dockerfile to following the Security Advisory by adding yum update openssl.

https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html

Unfortunately the images scanning keeps showing me the high risk vulnerability. I simplified my docker file almost to zero custom code.

Here is my base image docker file

# ---- Base Node ----
FROM amazoncorretto AS base
# set working directory
# Create app directory
RUN yum update kernel --assumeyes
RUN yum update libarchive --assumeyes
RUN yum update openssl --assumeyes
RUN yum update sqlite --assumeyes

previously. I opened an technical assistance request on through AWS support system but was
redirected to AWS JDK team. They believe that the issue is with the base image itself. As the base image amazoncorretto may not have the required packages for update in the mirror list, it was unable find the new patch for openssl. I see the CVE mentioned has been released on 2020-03-25 21:45 Pacific.

The image build is done on my local machine
Docker engine version:

Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:03:51 2017
OS/Arch: darwin/amd64

Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:29 2017
OS/Arch: linux/amd64
Experimental: false

Hi @Denusdv ,

Thank you for opening this github issue. This repository is also owned by AWS JDK team. I will get in touch with my manager and get back to you regarding the next steps.

Thank you,
Prashanth

Hi @Denusdv, please take a look #26 and see if it has already addressed your issue.

Hi @Denusdv, please take a look #26 and see if it has already addressed your issue.
Hi TianminShi, I see you have PR fix my issue, thanks will try once be merged