[FOLIO-3401] jenkins-slave not affected by polkit (CVE-2021-4034) Created: 26/Jan/22 Updated: 27/Jan/22 Resolved: 26/Jan/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | Continuous Integration |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | David Crossley |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | DevOps sprint 132 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| RCA Group: | TBD | ||||||||
| Description |
|
jenkins-slave = https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11 This is based on Ubuntu Focal that is vulnerable to Local Privilege Escalation in polkit's pkexec. Focal with a fix has been released: https://ubuntu.com/security/CVE-2021-4034 However, the container that FOLIO uses doesn't install the polkit package (policykit-1). a cd /; find -name 'pkexec' doesn't find the vulnerable binary. Therefore jenkins-slave is not affected. |