[FOLIO-3401] jenkins-slave not affected by polkit (CVE-2021-4034) Created: 26/Jan/22  Updated: 27/Jan/22  Resolved: 26/Jan/22

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: David Crossley
Resolution: Cannot Reproduce Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3402 folioci/alpine-jre-openjdk11 not affe... Closed
Sprint: DevOps sprint 132
Development Team: FOLIO DevOps
RCA Group: TBD

 Description   

jenkins-slave = https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11

This is based on Ubuntu Focal that is vulnerable to Local Privilege Escalation in polkit's pkexec. Focal with a fix has been released: https://ubuntu.com/security/CVE-2021-4034

However, the container that FOLIO uses doesn't install the polkit package (policykit-1). a cd /; find -name 'pkexec' doesn't find the vulnerable binary.

Therefore jenkins-slave is not affected.


Generated at Thu Feb 08 23:27:50 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.