OpenSSL vulnerability for openjdk:11 and openjdk:8

[marcchanwork]

Hello openjdk team, my local scan found critical vulnerability for openssl: CVE-2022-1292
For more details:
https://security-tracker.debian.org/tracker/CVE-2022-1292 (severity is high here)
GHSA-qjmp-vmxc-7p8r

I would like to ask if there are any comparable base images I can use for Java 11 and Java 8.
Thank you very much.

[etiennepeiniau]

Hello,

We have the same problem on the image : openjdk:17.0.2-jdk-slim since the problem is linked to opennssl.

You can find a scan of the vulnerability here

I suppose this depends on the base image used.

Thank you in advance.

[yosifkit]

From the Debian security tracker page (https://security-tracker.debian.org/tracker/CVE-2022-1292), you can see that there is no package update available on bullseye. So there is nothing that can be done.

It's centered specifically around the c_rehash script which is considered obsolete and superseded by the CLI tool https://www.openssl.org/docs/manmaster/man1/c_rehash.html

Similar to docker-library/python#728 (comment)

[tianon]

See also #495 -- openjdk:17* will not be updated any further (see that issue/PR for details).

[marcchanwork]

Alright, thanks for the info!