[FOLIO-3611] Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17 (expat CVE-2022-43680) Created: 11/Oct/22  Updated: 09/Nov/22  Resolved: 09/Nov/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: David Crossley Assignee: David Crossley
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3635 Rebuild folioci/alpine-jre-openjdk11 ... Closed
Sprint: DevOps Sprint 152
Development Team: FOLIO DevOps
RCA Group: Related dependency upgrade

 Description   

Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17.
 
These are the base Docker containers to support Java-based back-end FOLIO modules.

The container upgrade automatically upgrades expat from 2.4.9-r0 to 2.5.0-r0 fixing a use-after free vulnerability in out-of-memory situations:
https://nvd.nist.gov/vuln/detail/CVE-2022-43680
Note that JRE uses expat and Java code might actually be affected.

The container upgrade automatically upgrades curl from 7.83.1-r3 to 7.83.1-r4 fixing HTTP proxy double-free and HSTS bypass via IDN and POST following PUT confusion:
https://nvd.nist.gov/vuln/detail/CVE-2022-42915
https://nvd.nist.gov/vuln/detail/CVE-2022-42916
https://nvd.nist.gov/vuln/detail/CVE-2022-32221
https://git.alpinelinux.org/aports/tree/main/curl/APKBUILD?h=3.16-stable

Scan results:
https://trivy.dev/results/?image=folioci/alpine-jre-openjdk11:1.3.7
https://trivy.dev/results/?image=folioci/alpine-jre-openjdk17:2.0.4

The Dockerfile already contains "apk upgrade", no change to the Dockerfile is needed to get the fix, only a rebuild of the alpine-jre-openjdk container is needed.



 Comments   
Comment by David Crossley [ 08/Nov/22 ]

Built on jenkins host and pushed as "alpine-jre-openjdk17:2.0.5" and "latest".
Verified that this does have the expected "expat" version.

The built "alpine-jre-openjdk11" does have the expected "expat" version, but not yet the expected "curl" version. So will build again soon.

Comment by Julian Ladisch [ 08/Nov/22 ]

David Crossley: Sorry, I've incorrectly posted curl 7.86.0-r1 as the fixed version, but 7.86.0-r1 is the curl version for Alpine edge. We use Alpine 3.16 so curl 7.83.1-r4 is the fixed curl version, this has been published on 2022-10-26. I've corrected the issue description.

Comment by David Crossley [ 08/Nov/22 ]

Ah yes, thanks, that is the version. Will deploy tomorrow.

Comment by David Crossley [ 09/Nov/22 ]

Built on jenkins host and pushed as "alpine-jre-openjdk11:1.3.8" and "latest".
Verified that this does have the expected "expat" version and "curl" version.

Comment by Julian Ladisch [ 09/Nov/22 ]

Thank you!

Generated at Thu Feb 08 23:29:24 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.