Dependencies should be updated
Closed this issue · 9 comments
We see a lot of CVEs in the image, which could be removed by updating to more current versions:
CVE-2021-23463 CRITICAL 1.1.119 2.0.202 com.h2database:h2
CVE-2021-42392 CRITICAL 1.1.119 2.0.206 com.h2database:h2
CVE-2022-23221 CRITICAL 1.1.119 2.1.210 com.h2database:h2
CVE-2022-22978 CRITICAL 5.1.13.RELEASE 5.5.7, 5.6.4. org.springframework.security:spring-security-core
CVE-2016-1000027 CRITICAL 5.2.22.RELEASE 6.0.0 org.springframework:spring-web
CVE-2022-45868 HIGH 1.1.119 com.h2database:h2
CVE-2023-24998 HIGH 1.4. 1.5 commons-fileupload:commons-fileupload
CVE-2022-45143 HIGH 9.0.65 8.5.84, 9.0.69, 10.1.2 org.apache.tomcat:tomcat-catalina
CVE-2022-42252 HIGH 9.0.65 8.5.83, 9.0.68,
10.0.27, 10.1.1 org.apache.tomcat:tomcat-coyote
CVE-2021-22112 HIGH 5.1.13.RELEASE 5.2.9.RELEASE,
5.3.8.RELEASE, 5.4.4 org.springframework.security:spring-security-core
CVE-2021-22112 HIGH 5.1.13.RELEASE 5.2.9, 5.2.9, 5.4.4, 5.4.4 org.springframework.security:spring-security-web
CVE-2022-34169 HIGH 2.7.2 xalan:xalan
CVE-2022-22976 MEDIUM 5.1.13.RELEASE 5.5.7, 5.6.4 org.springframework.security:spring-security-core
GHSA-h376-j262-vhq6 UNKNOWN 1.1.119 2.0.206 com.h2database:h2
@jschirrmacher Which image version are you referring to? Is this still an issue with the most recent versions, 2.22.4?
@randomorder: could you publish the most recent geoserver versions 2.23.3 and 2.24.0 via docker hub?
@hbruch
latest tags for all branches are now available on the Hub.
@jschirrmacher
as suggested by @hbruch can you check more recent versions and let me know how you scanned the images?
I can't remember which version I used in march, I'm sorry.
When I run trivy image --offline-scan geosolutionsit/geoserver:latest, I still get a lot of CVEs:
geosolutionsit/geoserver:latest (debian 11.4)
=============================================
Total: 1195 (UNKNOWN: 6, LOW: 791, MEDIUM: 138, HIGH: 232, CRITICAL: 28)
Java (jar)
==========
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)
Thanks @jschirrmacher I'll have a look.
It's important to distinguish what are the component affected for each one of them. For instance:
- Java code releated CVEs concerning geoserver itself -> these should be adresses by the geoserver commproject/community
- CEVs related to the base image of geoserver (as of today, tomcat these should be adressed by the Apache Tomcat project. As soon as a new image comes out we can rebuild the docker images and get the patches from Tomcat
- CVEs related to the software installed by the Dockerfile itself. Here we can evaluate and path/update the individual packages installed during the build to pattched versions of the software is possible
Hello, I am chiming, I am in the same team as @jschirrmacher.
I think I found the source of the problem, at least for the tomcat and base distro. As far as I can see in the Repo, the image is based on the offical tomcat image (which is great), and uses the tag 9-jdk11-openjdk
Line 1 in 999c0ba
This is no longer a supported variant of the tomcat image, and thus, this tag was updated a year ago. This project should switch to either temurin or corretto, although I imagine that the temurin image will be a lot closer to the former openjdk image.
I have tested this approach locally and it works for our setup. I have created a simple Pull Request, it is straight forward.
Thank you @Morl99
Testing on the PR is ongoing. I'll merge right after
PR merged, thank you @Morl99
My pleasure, the PR still seems to be open though, can you double check?