[FOLIO-3366] Rebuild/upgrade folio-java-docker folioci/alpine-jre-openjdk11 Created: 14/Dec/21  Updated: 23/Dec/21  Resolved: 23/Dec/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: David Crossley Assignee: David Crossley
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3246 Rebuild (= upgrade) folioci/alpine-jr... Closed
Sprint: DevOps Sprint 130, DevOps Sprint 129
Development Team: FOLIO DevOps

 Description   

Rebuild and deploy a new version of https://github.com/folio-org/folio-tools/tree/master/folio-java-docker/openjdk11 to upgrade the versions used in folioci/alpine-jre-openjdk11 Docker container. No changes are needed in the Dockerfile.

This upgrades alpine from 3.14 to 3.15



 Comments   
Comment by Craig McNally [ 16/Dec/21 ]

The security team has reviewed this and feel that while it's not urgent, it would be nice to have this done soon.

Comment by Julian Ladisch [ 21/Dec/21 ]

Issues in folioci/alpine-jre-openjdk11:1.1.0 the that upgrade will remove:

NAME                    INSTALLED      FIXED-IN       VULNERABILITY   SEVERITY 
busybox                 1.33.1-r3      1.33.1-r4      CVE-2021-42374  Medium    
busybox                 1.33.1-r3      1.33.1-r5      CVE-2021-42375  Medium    
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42378  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42379  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42380  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42381  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42382  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42383  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42384  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42385  High      
busybox                 1.33.1-r3      1.33.1-r6      CVE-2021-42386  High      
curl                    7.78.0-r0      7.79.0-r0      CVE-2021-22945  Critical  
curl                    7.78.0-r0      7.79.0-r0      CVE-2021-22946  High      
curl                    7.78.0-r0      7.79.0-r0      CVE-2021-22947  Medium    
libcrypto1.1            1.1.1k-r0      1.1.1l-r0      CVE-2021-3711   Critical  
libcrypto1.1            1.1.1k-r0      1.1.1l-r0      CVE-2021-3712   High      
libcurl                 7.78.0-r0      7.79.0-r0      CVE-2021-22945  Critical  
libcurl                 7.78.0-r0      7.79.0-r0      CVE-2021-22946  High      
libcurl                 7.78.0-r0      7.79.0-r0      CVE-2021-22947  Medium    
libssl1.1               1.1.1k-r0      1.1.1l-r0      CVE-2021-3711   Critical  
libssl1.1               1.1.1k-r0      1.1.1l-r0      CVE-2021-3712   High      
openjdk11-jre-headless  11.0.11_p9-r0  11.0.12_p7-r0  CVE-2021-2341   Low       
openjdk11-jre-headless  11.0.11_p9-r0  11.0.12_p7-r0  CVE-2021-2369   Medium    
openjdk11-jre-headless  11.0.11_p9-r0  11.0.12_p7-r0  CVE-2021-2388   High      
ssl_client              1.33.1-r3      1.33.1-r4      CVE-2021-42374  Medium

The issues are hard to exploit in FOLIO modules, though.

Comment by David Crossley [ 21/Dec/21 ]

Moving to Alpine 3.15 will bring Node.js 16 and PostgreSQL 14.

Julian Ladisch i gather that that is okay, as the purpose of this Docker image is to provide Java. Is that okay?

Comment by Julian Ladisch [ 22/Dec/21 ]

Yes, it is okay.

The image neither uses node nor postgres: https://github.com/folio-org/folio-tools/blob/master/folio-java-docker/openjdk11/Dockerfile

Comment by David Crossley [ 23/Dec/21 ]

Built and pushed as "1.2.0" and "latest".

Generated at Thu Feb 08 23:27:34 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.