Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE November 2024 #4933

Closed
wants to merge 16 commits into from
Closed

CVE November 2024 #4933

wants to merge 16 commits into from

Conversation

jaredb96
Copy link
Contributor

No description provided.

jaredb96
jaredb96 commented Nov 18, 2024
View reviewed changes
build.sbt
case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk update"),
case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk add --no-cache openssl"),
Cmd("RUN", "apk update"),
Cmd("RUN", "apk upgrade"),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolves CVE-2024-5535, CVE-2024-45492, and CVE-2024-45491 - all critical cves

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually resolves the majority of the critical / high cves:

CVE-2024-5535 (libcrypto3, libssl3)
CVE-2024-45492, CVE-2024-45491 (libexpat)
CVE-2024-6119 (libcrypto3, libssl3)
CVE-2024-4603 (libcrypto3, libssl3)
CVE-2024-4741, CVE-2024-2511 (libcrypto3, libssl3)

Current cves:

NAME                INSTALLED       FIXED-IN                                              TYPE          VULNERABILITY        SEVERITY 
apache-mime4j-core  0.8.9           0.8.10                                                java-archive  GHSA-jw7r-rxff-gv24  Medium    
guava               31.0.1-android  32.0.0-android                                        java-archive  GHSA-7g45-4rm6-3mm3  Medium    
guava               31.0.1-android  32.0.0-android                                        java-archive  GHSA-5mg8-w23w-74h3  Low       
keycloak-core       25.0.3          25.0.4                                                java-archive  GHSA-xmmm-jw76-q7vg  Medium    
netty-common        4.1.94.Final    4.1.115                                               java-archive  GHSA-xq3w-v528-46rv  High      
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21147       High      
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21235       Medium    
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21145       Medium    
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21140       Medium    
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21217       Low       
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21210       Low       
openjdk             21.0.2+13-LTS   1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432  binary        CVE-2024-21208       Low       
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21138       Low       
openjdk             21.0.2+13-LTS   1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422  binary        CVE-2024-21131       Low       
openjdk             21.0.2+13-LTS   1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412  binary        CVE-2024-21094       Low       
openjdk             21.0.2+13-LTS   1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412  binary        CVE-2024-21068       Low       
openjdk             21.0.2+13-LTS   11.0.23, 17.0.11, 21.0.3, 22.0.1                      binary        CVE-2024-21012       Low       
openjdk             21.0.2+13-LTS   1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412  binary        CVE-2024-21011       Low       
zookeeper           3.8.3           3.8.4                                                 java-archive  GHSA-r978-9m6m-6gm6  Medium

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jaredb96 ; would it be worth upgrading the base image at this point? looks like eclipse-temurin:23.0.1_11-jdk-alpine resolves all the critical CVEs (and it also seems to run an "apk update" internally). We could of course try going back a bit farther if we don't want an image pushed yesterday...

jaredb96
jaredb96 commented Nov 18, 2024
View reviewed changes
build.sbt Outdated
@@ -67,7 +67,7 @@ lazy val dockerSettings = Seq(
dockerBaseImage := "eclipse-temurin:21.0.2_13-jdk-alpine",
dockerRepository := Some("hmda"),
dockerCommands := dockerCommands.value.flatMap {
case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk add --no-cache openssl"),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove here since it isn't necessary, the upgrade resolves this cve, although we could use this base image as well: eclipse-temurin:21.0.5_11-jdk-alpine

@jaredb96 jaredb96 marked this pull request as ready for review November 29, 2024 14:56
@jaredb96 jaredb96 marked this pull request as draft November 29, 2024 14:57
@jaredb96 jaredb96 marked this pull request as ready for review November 29, 2024 15:47
jaredb96
jaredb96 commented Nov 29, 2024
View reviewed changes
build.sbt
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolves CVE-2023-2976 and CVE-2024-21742

jaredb96
jaredb96 commented Dec 2, 2024
View reviewed changes
build.sbt
@@ -834,4 +834,14 @@ libraryDependencies ++= Seq(
"io.netty" % "netty-common" % "4.1.94.Final" exclude ("io.netty", "netty-common"),
"io.netty" % "netty-transport-native-unix-common" % "4.1.94.Final" exclude ("io.netty", "netty-common"),
"io.netty" % "netty-common" % "4.1.115.Final"
)

libraryDependencies ++= Seq(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolves keycloak cve - (GHSA-93ww-43rr-79v3)

PatrickGoRaft
PatrickGoRaft reviewed Dec 4, 2024
View reviewed changes
project/Version.scala
@@ -33,7 +33,7 @@ object Version {
val lettuce = "6.2.4.RELEASE"
val java8Compat = "1.0.2"
val scalaMock = "4.3.0"
val guava = "33.0.0-jre"
val guava = "32.0.0-android"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there aren't any concerns switching between the JRE and Android version of this library?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jaredb96 , checking https://github.com/google/guava and it does seem like the "-jre" version is intended for JRE-based builds. Looks like guava is up to v33.3.1. What does grype say if you put in 33.3.1-jre?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, looks like scala itself was bringing in the android dep! That's weird... This removes the guava problem from the grype output.

-      libraryDependencies += zeroAllocationHashing,
+      libraryDependencies ++= List("com.google.guava" % "guava" % "33.3.1-jre", zeroAllocationHashing),

@PatrickGoRaft
Copy link
Contributor

Changes copied into #4944

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PatrickGoRaft PatrickGoRaft PatrickGoRaft left review comments

@tptignor tptignor tptignor left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jaredb96 @PatrickGoRaft @tptignor