[Security] CVE vulnerabilities of docker image nacos:v2.2.2-slim

[wilsonwu]

Describe the bug
CVEs

nacos-server:v2.2.2-slim (debian 11.4)

Total: 4 (CRITICAL: 4)
┌──────────────┬────────────────┬──────────┬─────────────────────────┬─────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼─────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre2-8-0 │ CVE-2022-1586 │ CRITICAL │ 10.36-2 │ 10.36-2+deb11u1 │ pcre2: Out-of-bounds read in compile_xclass_matchingpath in │
│ │ │ │ │ │ pcre2_jit_compile.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1[586](https://gitlab.daocloud.cn/ndx/skoala/-/jobs/947744#L586) │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-1587 │ │ │ │ pcre2: Out-of-bounds read in get_recurse_data_length in │
│ │ │ │ │ │ pcre2_jit_compile.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1[587](https://gitlab.daocloud.cn/ndx/skoala/-/jobs/947744#L587) │
├──────────────┼────────────────┤ ├─────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libtasn1-6 │ CVE-2021-46848 │ │ 4.16.0-2 │ 4.16.0-2+deb11u1 │ libtasn1: Out-of-bound access in ETYPE_OK │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-46848 │
├──────────────┼────────────────┤ ├─────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────────┤
│ zlib1g │ CVE-2022-37434 │ │ 1:1.2.11.dfsg-2+deb11u1 │ 1:1.2.11.dfsg-2+deb11u2 │ heap-based buffer over-read and overflow in inflate() in │
│ │ │ │ │ │ inflate.c via a large... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴─────────────────────────┴─────────────────────────┴─────────────────────────────────────────────────────────────┘

Expected behavior
Need to be fixed.

Actually behavior
Not fix now.

How to Reproduce
Upgrade components

[KomachiSion]

I don't get the problem. Do you means the docker image depend some libs which has security problem?

[wilsonwu]

You are right, seems it is.the base image problem.

[KomachiSion]

So need to upgrade os version to fix them.

[wilsonwu]

So need to upgrade os version to fix them.

Yes, investigate the base image problems, I found we need to upgrade to a newer version of JRE/JDK base image to solve these CVEs, seems that is a big project.

[zqr95518]

So need to upgrade os version to fix them.

Yes, investigate the base image problems, I found we need to upgrade to a newer version of JRE/JDK base image to solve these CVEs, seems that is a big project.

Why not simply replace the base image with eclipse-temurin-jre or other openjdk8?

[wilsonwu]

So need to upgrade os version to fix them.

Yes, investigate the base image problems, I found we need to upgrade to a newer version of JRE/JDK base image to solve these CVEs, seems that is a big project.

Why not simply replace the base image with eclipse-temurin-jre or other openjdk8?

Seems the adoptopenjdk/openjdk8:jre8u372-b07 solved all problems, I only checked the offical image found no profect image for java8, if you have better choose, welcome to PR.

[zqr95518]

I

So need to upgrade os version to fix them.

Yes, investigate the base image problems, I found we need to upgrade to a newer version of JRE/JDK base image to solve these CVEs, seems that is a big project.

Why not simply replace the base image with eclipse-temurin-jre or other openjdk8?

Seems the adoptopenjdk/openjdk8:jre8u372-b07 solved all problems, I only checked the offical image found no profect image for java8, if you have better choose, welcome to PR.

https://github.com/nacos-group/nacos-docker/issues/326