Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): vulnerabilities found in besu-all-in-one #2055

Open
zondervancalvez opened this issue Jun 1, 2022 · 1 comment
Open

fix(security): vulnerabilities found in besu-all-in-one #2055

zondervancalvez opened this issue Jun 1, 2022 · 1 comment
Labels
Besu bug Something isn't working documentation Improvements or additions to documentation good-first-issue Good for newcomers good-first-issue-300-advanced Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P4 Priority 4: Low Security Related to existing or potential security vulnerabilities

Comments

@zondervancalvez
Copy link
Contributor

List of vulnerabilities found in besu-all-in-one image during Azure Container scan.

VULNERABILITY ID PACKAGE NAME SEVERITY
CVE-2016-2779 bsdutils HIGH
CVE-2019-12900 bzip2 CRITICAL
CVE-2020-8177 curl HIGH
CVE-2020-8231 curl HIGH
CVE-2020-8285 curl HIGH
CVE-2020-8286 curl HIGH
CVE-2021-22946 curl HIGH
CVE-2022-1304 e2fslibs HIGH
CVE-2022-1304 e2fsprogs HIGH
CVE-2019-8907 file HIGH
CVE-2018-12886 gcc-6-base HIGH
CVE-2018-1000858 gpgv HIGH
CVE-2022-1271 gzip HIGH
CVE-2021-26720 libavahi-client3 HIGH
CVE-2021-26720 libavahi-common-data HIGH
CVE-2021-26720 libavahi-common3 HIGH
CVE-2016-2779 libblkid1 HIGH
CVE-2019-20367 libbsd0 CRITICAL
CVE-2019-12900 libbz2-1.0 CRITICAL
CVE-2018-6485 libc-bin CRITICAL
CVE-2018-6551 libc-bin CRITICAL
CVE-2019-9169 libc-bin CRITICAL
CVE-2021-33574 libc-bin CRITICAL
CVE-2021-35942 libc-bin CRITICAL
CVE-2022-23218 libc-bin CRITICAL
CVE-2022-23219 libc-bin CRITICAL
CVE-2009-5155 libc-bin HIGH
CVE-2018-1000001 libc-bin HIGH
CVE-2020-1751 libc-bin HIGH
CVE-2020-1752 libc-bin HIGH
CVE-2021-3326 libc-bin HIGH
CVE-2021-3999 libc-bin HIGH
CVE-2018-6485 libc6 CRITICAL
CVE-2018-6551 libc6 CRITICAL
CVE-2019-9169 libc6 CRITICAL
CVE-2021-33574 libc6 CRITICAL
CVE-2021-35942 libc6 CRITICAL
CVE-2022-23218 libc6 CRITICAL
CVE-2022-23219 libc6 CRITICAL
CVE-2009-5155 libc6 HIGH
CVE-2018-1000001 libc6 HIGH
CVE-2020-1751 libc6 HIGH
CVE-2020-1752 libc6 HIGH
CVE-2021-3326 libc6 HIGH
CVE-2021-3999 libc6 HIGH
CVE-2022-1304 libcomerr2 HIGH
CVE-2019-8675 libcups2 HIGH
CVE-2019-8696 libcups2 HIGH
CVE-2020-3898 libcups2 HIGH
CVE-2022-26691 libcups2 HIGH
CVE-2020-8177 libcurl3 HIGH
CVE-2020-8231 libcurl3 HIGH
CVE-2020-8285 libcurl3 HIGH
CVE-2020-8286 libcurl3 HIGH
CVE-2021-22946 libcurl3 HIGH
CVE-2019-8457 libdb5.3 CRITICAL
CVE-2019-12749 libdbus-1-3 HIGH
CVE-2020-35512 libdbus-1-3 HIGH
CVE-2022-22822 libexpat1 CRITICAL
CVE-2022-22823 libexpat1 CRITICAL
CVE-2022-22824 libexpat1 CRITICAL
CVE-2022-23852 libexpat1 CRITICAL
CVE-2022-23990 libexpat1 CRITICAL
CVE-2022-25235 libexpat1 CRITICAL
CVE-2022-25236 libexpat1 CRITICAL
CVE-2022-25315 libexpat1 CRITICAL
CVE-2018-20843 libexpat1 HIGH
CVE-2019-15903 libexpat1 HIGH
CVE-2021-45960 libexpat1 HIGH
CVE-2021-46143 libexpat1 HIGH
CVE-2022-22825 libexpat1 HIGH
CVE-2022-22826 libexpat1 HIGH
CVE-2022-22827 libexpat1 HIGH
CVE-2016-2779 libfdisk1 HIGH
CVE-2022-27404 libfreetype6 CRITICAL
CVE-2022-27405 libfreetype6 HIGH
CVE-2022-27406 libfreetype6 HIGH
CVE-2018-12886 libgcc1 HIGH
CVE-2021-33560 libgcrypt20 HIGH
CVE-2021-43618 libgmp10 HIGH
CVE-2019-3829 libgnutls30 HIGH
CVE-2020-28196 libgssapi-krb5-2 HIGH
CVE-2021-20305 libhogweed4 HIGH
CVE-2021-3580 libhogweed4 HIGH
CVE-2017-14062 libidn11 CRITICAL
CVE-2020-13790 libjpeg62-turbo HIGH
CVE-2020-14152 libjpeg62-turbo HIGH
CVE-2020-28196 libk5crypto3 HIGH
CVE-2020-28196 libkrb5-3 HIGH
CVE-2020-28196 libkrb5support0 HIGH
CVE-2022-29155 libldap-2.4-2 CRITICAL
CVE-2020-12243 libldap-2.4-2 HIGH
CVE-2020-25692 libldap-2.4-2 HIGH
CVE-2020-25709 libldap-2.4-2 HIGH
CVE-2020-25710 libldap-2.4-2 HIGH
CVE-2020-36221 libldap-2.4-2 HIGH
CVE-2020-36222 libldap-2.4-2 HIGH
CVE-2020-36223 libldap-2.4-2 HIGH
CVE-2020-36224 libldap-2.4-2 HIGH
CVE-2020-36225 libldap-2.4-2 HIGH
CVE-2020-36226 libldap-2.4-2 HIGH
CVE-2020-36227 libldap-2.4-2 HIGH
CVE-2020-36228 libldap-2.4-2 HIGH
CVE-2020-36229 libldap-2.4-2 HIGH
CVE-2020-36230 libldap-2.4-2 HIGH
CVE-2021-27212 libldap-2.4-2 HIGH
CVE-2022-29155 libldap-common CRITICAL
CVE-2020-12243 libldap-common HIGH
CVE-2020-25692 libldap-common HIGH
CVE-2020-25709 libldap-common HIGH
CVE-2020-25710 libldap-common HIGH
CVE-2020-36221 libldap-common HIGH
CVE-2020-36222 libldap-common HIGH
CVE-2020-36223 libldap-common HIGH
CVE-2020-36224 libldap-common HIGH
CVE-2020-36225 libldap-common HIGH
CVE-2020-36226 libldap-common HIGH
CVE-2020-36227 libldap-common HIGH
CVE-2020-36228 libldap-common HIGH
CVE-2020-36229 libldap-common HIGH
CVE-2020-36230 libldap-common HIGH
CVE-2021-27212 libldap-common HIGH
CVE-2021-3520 liblz4-1 CRITICAL
CVE-2022-1271 liblzma5 HIGH
CVE-2019-8907 libmagic-mgc HIGH
CVE-2019-8907 libmagic1 HIGH
CVE-2016-2779 libmount1 HIGH
CVE-2022-29458 libncursesw5 HIGH
CVE-2021-20305 libnettle6 HIGH
CVE-2021-3580 libnettle6 HIGH
CVE-2018-1000168 libnghttp2-14 HIGH
CVE-2020-11080 libnghttp2-14 HIGH
CVE-2019-17006 libnss3 CRITICAL
CVE-2020-12403 libnss3 CRITICAL
CVE-2021-43527 libnss3 CRITICAL
CVE-2019-11719 libnss3 HIGH
CVE-2019-11729 libnss3 HIGH
CVE-2019-11745 libnss3 HIGH
CVE-2019-17007 libnss3 HIGH
CVE-2020-25648 libnss3 HIGH
CVE-2020-29361 libp11-kit0 HIGH
CVE-2017-12652 libpng16-16 CRITICAL
CVE-2015-20107 libpython2.7-minimal CRITICAL
CVE-2015-20107 libpython2.7-stdlib CRITICAL
CVE-2022-24407 libsasl2-2 HIGH
CVE-2022-24407 libsasl2-modules-db HIGH
CVE-2016-2779 libsmartcols1 HIGH
CVE-2019-8457 libsqlite3-0 CRITICAL
CVE-2018-20346 libsqlite3-0 HIGH
CVE-2018-20506 libsqlite3-0 HIGH
CVE-2018-8740 libsqlite3-0 HIGH
CVE-2019-20218 libsqlite3-0 HIGH
CVE-2019-5827 libsqlite3-0 HIGH
CVE-2019-9936 libsqlite3-0 HIGH
CVE-2019-9937 libsqlite3-0 HIGH
CVE-2020-11655 libsqlite3-0 HIGH
CVE-2020-13630 libsqlite3-0 HIGH
CVE-2020-13871 libsqlite3-0 HIGH
CVE-2022-1304 libss2 HIGH
CVE-2019-13115 libssh2-1 HIGH
CVE-2019-17498 libssh2-1 HIGH
CVE-2021-23840 libssl1.0.2 HIGH
CVE-2021-3712 libssl1.0.2 HIGH
CVE-2022-0778 libssl1.0.2 HIGH
CVE-2022-1292 libssl1.1 CRITICAL
CVE-2019-1543 libssl1.1 HIGH
CVE-2021-23840 libssl1.1 HIGH
CVE-2021-3712 libssl1.1 HIGH
CVE-2022-0778 libssl1.1 HIGH
CVE-2018-12886 libstdc++6 HIGH
CVE-2018-15686 libsystemd0 HIGH
CVE-2019-3842 libsystemd0 HIGH
CVE-2019-3843 libsystemd0 HIGH
CVE-2019-3844 libsystemd0 HIGH
CVE-2020-1712 libsystemd0 HIGH
CVE-2022-29458 libtinfo5 HIGH
CVE-2018-15686 libudev1 HIGH
CVE-2019-3842 libudev1 HIGH
CVE-2019-3843 libudev1 HIGH
CVE-2019-3844 libudev1 HIGH
CVE-2020-1712 libudev1 HIGH
CVE-2016-2779 libuuid1 HIGH
CVE-2021-31535 libx11-6 CRITICAL
CVE-2020-14363 libx11-6 HIGH
CVE-2021-31535 libx11-data CRITICAL
CVE-2020-14363 libx11-data HIGH
CVE-2017-12424 login CRITICAL
CVE-2017-20002 login HIGH
CVE-2016-2779 mount HIGH
CVE-2018-6485 multiarch-support CRITICAL
CVE-2018-6551 multiarch-support CRITICAL
CVE-2019-9169 multiarch-support CRITICAL
CVE-2021-33574 multiarch-support CRITICAL
CVE-2021-35942 multiarch-support CRITICAL
CVE-2022-23218 multiarch-support CRITICAL
CVE-2022-23219 multiarch-support CRITICAL
CVE-2009-5155 multiarch-support HIGH
CVE-2018-1000001 multiarch-support HIGH
CVE-2020-1751 multiarch-support HIGH
CVE-2020-1752 multiarch-support HIGH
CVE-2021-3326 multiarch-support HIGH
CVE-2021-3999 multiarch-support HIGH
CVE-2022-29458 ncurses-base HIGH
CVE-2022-29458 ncurses-bin HIGH
CVE-2022-1292 openssl CRITICAL
CVE-2019-1543 openssl HIGH
CVE-2021-23840 openssl HIGH
CVE-2021-3712 openssl HIGH
CVE-2022-0778 openssl HIGH
CVE-2017-12424 passwd CRITICAL
CVE-2017-20002 passwd HIGH
CVE-2020-10543 perl-base HIGH
CVE-2020-10878 perl-base HIGH
CVE-2020-12723 perl-base HIGH
CVE-2020-16156 perl-base HIGH
CVE-2015-20107 python2.7 CRITICAL
CVE-2015-20107 python2.7-minimal CRITICAL
CVE-2018-1000035 unzip HIGH
CVE-2016-2779 util-linux HIGH
CVE-2022-1271 xz-utils HIGH
CVE-2018-25032 zlib1g HIGH
CVE-2020-25649 com.fasterxml.jackson.core:jackson-databind HIGH
CVE-2020-36518 com.fasterxml.jackson.core:jackson-databind HIGH
CVE-2020-36518 com.fasterxml.jackson.core:jackson-databind HIGH
CVE-2022-25647 com.google.code.gson:gson HIGH
CVE-2022-25647 com.google.code.gson:gson HIGH
GHSA-94g7-hpv8-h9q m   com.splunk.logging:splunk-library-javalogging CRITICAL
CVE-2020-8570 io.kubernetes:client-java HIGH
CVE-2021-37136 io.netty:netty-codec HIGH
CVE-2021-37137 io.netty:netty-codec HIGH
CVE-2021-37136 io.netty:netty-codec HIGH
CVE-2021-37137 io.netty:netty-codec HIGH
CVE-2019-20444 io.netty:netty-handler CRITICAL
CVE-2020-11612 io.netty:netty-handler HIGH
CVE-2019-17640 io.vertx:vertx-web CRITICAL
CVE-2019-17640 io.vertx:vertx-web CRITICAL
CVE-2021-35515 org.apache.commons:commons-compress HIGH
CVE-2021-35516 org.apache.commons:commons-compress HIGH
CVE-2021-35517 org.apache.commons:commons-compress HIGH
CVE-2021-36090 org.apache.commons:commons-compress HIGH
CVE-2021-44228 org.apache.logging.log4j:log4j-core CRITICAL
CVE-2021-45046 org.apache.logging.log4j:log4j-core CRITICAL
CVE-2021-45105 org.apache.logging.log4j:log4j-core HIGH
CVE-2021-44228 org.apache.logging.log4j:log4j-core CRITICAL
CVE-2021-45046 org.apache.logging.log4j:log4j-core CRITICAL
CVE-2021-45105 org.apache.logging.log4j:log4j-core HIGH
CVE-2020-28052 org.bouncycastle:bcprov-jdk15on HIGH
CVE-2022-21724 org.postgresql:postgresql CRITICAL
CVE-2020-13692 org.postgresql:postgresql HIGH
@petermetz petermetz added documentation Improvements or additions to documentation Besu Security Related to existing or potential security vulnerabilities P3 Priority 3: Medium labels Jun 2, 2022
@petermetz
Copy link
Member

petermetz commented Jun 2, 2022
edited
Loading

Marking as P4 because the Besu AIO image is not meant to be in production.

@petermetz petermetz added bug Something isn't working P4 Priority 4: Low good-first-issue Good for newcomers Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. good-first-issue-300-advanced and removed P3 Priority 3: Medium labels Jun 2, 2022
charellesandig added a commit to charellesandig/cactus that referenced this issue Oct 4, 2022
@charellesandig
fix(security): vulnerabilities found in besu-all-in-one hyperledger#2055
19767c0 


Signed-off-by: charelle <charelle.wrk@gmail.com>
charellesandig added a commit to charellesandig/cactus that referenced this issue Oct 4, 2022
@charellesandig
fix(security): vulnerabilities found in besu-all-in-one hyperledger#2055
1508fb7 


Signed-off-by: charelle <charelle.wrk@gmail.com>
charellesandig added a commit to charellesandig/cactus that referenced this issue Oct 4, 2022
@charellesandig
fix(security): vulnerabilities found in besu-all-in-one hyperledger#2055
ec970ad 


Signed-off-by: charelle <charelle.wrk@gmail.com>
charellesandig added a commit to charellesandig/cactus that referenced this issue Oct 4, 2022
@charellesandig
fix(security): vulnerabilities found in besu-all-in-one hyperledger#2055
3b1aea6 


Signed-off-by: charelle <charelle.wrk@gmail.com>
charellesandig added a commit to charellesandig/cactus that referenced this issue Oct 4, 2022
@charellesandig
fix(security): vulnerabilities found in besu-all-in-one hyperledger#2055
41c7bd6 


Signed-off-by: charelle <charelle.wrk@gmail.com>
petermetz pushed a commit to charellesandig/cactus that referenced this issue Nov 2, 2022
@charellesandig @petermetz
fix(security): vulnerabilities found in besu-all-in-one hyperledger#2055
8cac934 


Signed-off-by: charelle <charelle.wrk@gmail.com>
petermetz pushed a commit that referenced this issue Nov 2, 2022
@charellesandig @petermetz
fix(security): vulnerabilities found in besu-all-in-one #2055
2ce098f 
Signed-off-by: charelle <charelle.wrk@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Besu bug Something isn't working documentation Improvements or additions to documentation good-first-issue Good for newcomers good-first-issue-300-advanced Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P4 Priority 4: Low Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petermetz @zondervancalvez