tomcat:9-jdk8-openjdk-slim: CVE-2019-14379
kwaazaar opened this issue · 2 comments
kwaazaar commented
My image scanning software (Twistlock) is complaining about a critical issue in the latest
tomcat:9-jdk8-openjdk-slim: CVE-2019-14379
What can I do about it? Should I whitelist it or can it be (manually) fixed?
wglambert commented
https://security-tracker.debian.org/tracker/CVE-2019-14379
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.
Doesn't look like the jackson-databind
package/libraries are in the image
$ docker run -it --rm tomcat:9-jdk8-openjdk-slim bash
root@58c2d15d21cb:/usr/local/tomcat# find / | grep -i jackson
root@58c2d15d21cb:/usr/local/tomcat#
kwaazaar commented
Sorry, you are correct. It only finds a medium issue (CVE-2017-10140) now. I was scanning a derived image which seemed not to add any harmful stuff, but it obviously did.