Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): vulnerabilities found in corda-4-7-all-in-one #2063

Open
zondervancalvez opened this issue Jun 1, 2022 · 1 comment
Open

fix(security): vulnerabilities found in corda-4-7-all-in-one #2063

zondervancalvez opened this issue Jun 1, 2022 · 1 comment
Labels
bug Something isn't working Corda dependencies Pull requests that update a dependency file good-first-issue Good for newcomers good-first-issue-300-advanced P4 Priority 4: Low Security Related to existing or potential security vulnerabilities

Comments

@zondervancalvez
Copy link
Contributor

List of vulnerabilities found in corda-4-7-all-in-one image during Azure Container scan.

VULNERABILITY ID PACKAGE NAME SEVERITY
CVE-2021-36159 apk-tools CRITICAL
CVE-2021-30139 apk-tools HIGH
CVE-2022-28391 busybox CRITICAL
CVE-2021-28831 busybox HIGH
CVE-2021-42378 busybox HIGH
CVE-2021-42379 busybox HIGH
CVE-2021-42380 busybox HIGH
CVE-2021-42381 busybox HIGH
CVE-2021-42382 busybox HIGH
CVE-2021-42383 busybox HIGH
CVE-2021-42384 busybox HIGH
CVE-2021-42385 busybox HIGH
CVE-2021-42386 busybox HIGH
CVE-2021-36222 krb5-libs HIGH
CVE-2021-39537 ncurses-libs HIGH
CVE-2021-39537 ncurses-terminfo-base HIGH
CVE-2021-28041 openssh-client HIGH
CVE-2021-41617 openssh-client HIGH
CVE-2021-28041 openssh-keygen HIGH
CVE-2021-41617 openssh-keygen HIGH
CVE-2021-3711 openssl CRITICAL
CVE-2022-22970 org.springframework:spring-core HIGH
CVE-2022-22965 org.springframework:spring-webmvc CRITICAL
CVE-2020-5398 org.springframework:spring-webmvc HIGH
CVE-2017-18640 org.yaml:snakeyaml HIGH
CVE-2017-18640 org.yaml:snakeyaml HIGH
CVE-2017-18640 org.yaml:snakeyaml HIGH
CVE-2017-18640 org.yaml:snakeyaml HIGH
@petermetz petermetz added bug Something isn't working good-first-issue Good for newcomers Corda dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities good-first-issue-300-advanced P4 Priority 4: Low labels Jun 2, 2022
@petermetz
Copy link
Member

P4 because the Corda AIO image is not meant to be in production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Corda dependencies Pull requests that update a dependency file good-first-issue Good for newcomers good-first-issue-300-advanced P4 Priority 4: Low Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petermetz @zondervancalvez