Update Vulnerable OpenSSL: 3.0.2->3.0.7 (at least, image “tomcat:8.5-jre11-temurin”)
OlegMudryak opened this issue · 1 comments
Recently published OpenSSL vulnerability (CVE-2022-3786 and CVE-2022-3602):
https://www.openssl.org/news/vulnerabilities.html
We observed that the current version of the “tomcat:8.5-jre11-temurin” image uses vulnerable OpenSSL version: 3.0.2
https://hub.docker.com/layers/tomcat/library/tomcat/8.5-jre11-temurin/images/sha256-446c8c8c66ae31a1c66867b81503eb3f2afb944a06a288b9e315a3cbb74023af
Could you please update the image using non-vulnerable OpenSSL version (3.0.7)?
Will be fixed by docker-library/official-images#13457 (and the automatic rebuilds of dependent images that it will trigger).
So for Ubuntu Jammy, the version with the fixes is 3.0.2-0ubuntu1.7
: https://ubuntu.com/security/CVE-2022-3786 https://ubuntu.com/security/CVE-2022-3602.