-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] CVE vulnerabilities of docker image nacos:v2.2.2-slim #10538
Comments
I don't get the problem. Do you means the docker image depend some libs which has security problem? |
You are right, seems it is.the base image problem. |
So need to upgrade os version to fix them. |
Yes, investigate the base image problems, I found we need to upgrade to a newer version of JRE/JDK base image to solve these CVEs, seems that is a big project. |
Why not simply replace the base image with eclipse-temurin-jre or other openjdk8? |
Seems the adoptopenjdk/openjdk8:jre8u372-b07 solved all problems, I only checked the offical image found no profect image for java8, if you have better choose, welcome to PR. |
I
|
Describe the bug
CVEs
nacos-server:v2.2.2-slim (debian 11.4)
Total: 4 (CRITICAL: 4)
┌──────────────┬────────────────┬──────────┬─────────────────────────┬─────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼─────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre2-8-0 │ CVE-2022-1586 │ CRITICAL │ 10.36-2 │ 10.36-2+deb11u1 │ pcre2: Out-of-bounds read in compile_xclass_matchingpath in │
│ │ │ │ │ │ pcre2_jit_compile.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1[586](https://gitlab.daocloud.cn/ndx/skoala/-/jobs/947744#L586) │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-1587 │ │ │ │ pcre2: Out-of-bounds read in get_recurse_data_length in │
│ │ │ │ │ │ pcre2_jit_compile.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1[587](https://gitlab.daocloud.cn/ndx/skoala/-/jobs/947744#L587) │
├──────────────┼────────────────┤ ├─────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libtasn1-6 │ CVE-2021-46848 │ │ 4.16.0-2 │ 4.16.0-2+deb11u1 │ libtasn1: Out-of-bound access in ETYPE_OK │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-46848 │
├──────────────┼────────────────┤ ├─────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────────┤
│ zlib1g │ CVE-2022-37434 │ │ 1:1.2.11.dfsg-2+deb11u1 │ 1:1.2.11.dfsg-2+deb11u2 │ heap-based buffer over-read and overflow in inflate() in │
│ │ │ │ │ │ inflate.c via a large... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴─────────────────────────┴─────────────────────────┴─────────────────────────────────────────────────────────────┘
Expected behavior
Need to be fixed.
Actually behavior
Not fix now.
How to Reproduce
Upgrade components
The text was updated successfully, but these errors were encountered: