docker-library/tomcat

Update Vulnerable OpenSSL: 3.0.2->3.0.7 (at least, image “tomcat:8.5-jre11-temurin”)

OlegMudryak opened this issue 2 years ago · 1 comments

OlegMudryak commented 2 years ago

Recently published OpenSSL vulnerability (CVE-2022-3786 and CVE-2022-3602):
https://www.openssl.org/news/vulnerabilities.html

We observed that the current version of the “tomcat:8.5-jre11-temurin” image uses vulnerable OpenSSL version: 3.0.2
https://hub.docker.com/layers/tomcat/library/tomcat/8.5-jre11-temurin/images/sha256-446c8c8c66ae31a1c66867b81503eb3f2afb944a06a288b9e315a3cbb74023af

Could you please update the image using non-vulnerable OpenSSL version (3.0.7)?

yosifkit commented 2 years ago

Will be fixed by docker-library/official-images#13457 (and the automatic rebuilds of dependent images that it will trigger).

So for Ubuntu Jammy, the version with the fixes is 3.0.2-0ubuntu1.7: https://ubuntu.com/security/CVE-2022-3786 https://ubuntu.com/security/CVE-2022-3602.