Critical and high vulnerabilities found in latest mcr.microsoft.com/openjdk/jdk:21-mariner

[kropiwnickij]

Hi Team,

When running container image scans for latest jdk:21-mariner (latest as per https://mcr.microsoft.com/en-us/artifact/mar/openjdk/jdk/tags) we are seeing Critical and High vulnerabilities:

Digest: sha256:60d1e627867c9b9903d4000465a0716ef5999eadb069509a77b5b8ca15a0dbde
Status: Downloaded newer image for mcr.microsoft.com/openjdk/jdk:21-mariner
mcr.microsoft.com/openjdk/jdk:21-mariner

Scan results for: image mcr.microsoft.com/openjdk/jdk:21-mariner sha256:42760e09c4885b2374df55d64d64d808a6a2f6eb86d23e080eb487bfc162ab83
Vulnerabilities
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS | PACKAGE |   VERSION    |      STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-37371 | critical | 9.10 | krb5    | 1.19.4-3.cm2 | fixed in 1.21.3-1 | > 4 months | < 1 hour   | In MIT Kerberos 5 (aka krb5) before 1.21.3, an     |
|                |          |      |         |              | > 3 months ago    |            |            | attacker can cause invalid memory reads during GSS |
|                |          |      |         |              |                   |            |            | message token handling by sending message tokens   |
|                |          |      |         |              |                   |            |            | wit...                                             |
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-37370 | high     | 7.50 | krb5    | 1.19.4-3.cm2 | fixed in 1.21.3-1 | > 4 months | < 1 hour   | In MIT Kerberos 5 (aka krb5) before 1.21.3, an     |
|                |          |      |         |              | > 3 months ago    |            |            | attacker can modify the plaintext Extra Count      |
|                |          |      |         |              |                   |            |            | field of a confidential GSS krb5 wrap token,       |
|                |          |      |         |              |                   |            |            | causing the ...                                    |
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-26461 | high     | 7.50 | krb5    | 1.19.4-3.cm2 | fixed in 1.21.3-1 | > 8 months | < 1 hour   | Kerberos 5 (aka krb5) 1.21.2 contains              |
|                |          |      |         |              | > 3 months ago    |            |            | a memory leak vulnerability in                     |
|                |          |      |         |              |                   |            |            | /krb5/src/lib/gssapi/krb5/k5sealv3.c.              |
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-8096  | medium   | 6.50 | curl    | 8.8.0-2.cm2  | fixed in 8.8.0-3  | 56 days    | < 1 hour   | A vulnerability was found in Curl. When curl is    |
|                |          |      |         |              | 3 days ago        |            |            | told to use the Certificate Status Request TLS     |
|                |          |      |         |              |                   |            |            | extension, often referred to as OCSP stapling, to  |
|                |          |      |         |              |                   |            |            | verif...                                           |
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28182 | medium   | 5.30 | nghttp2 | 1.57.0-1.cm2 | fixed in 1.57.0-2 | > 7 months | < 1 hour   | nghttp2 is an implementation of the Hypertext      |
|                |          |      |         |              | 3 days ago        |            |            | Transfer Protocol version 2 in C. The nghttp2      |
|                |          |      |         |              |                   |            |            | library prior to version 1.61.0 keeps reading the  |
|                |          |      |         |              |                   |            |            | unbounde...                                        |
+----------------+----------+------+---------+--------------+-------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image mcr.microsoft.com/openjdk/jdk:21-mariner: total - 5, critical - 1, high - 2, medium - 2, low - 0

I checked that in azurelinux they were fixed in releases: https://github.com/microsoft/azurelinux/releases/tag/2.0.20241006-2.0 and https://github.com/microsoft/azurelinux/releases/tag/3.0.20240824-3.0

Is there a timeline when we can expect jdk mariner images to be refreshed and released?

Regards
Jan

[karianna]

These are refreshed weekly, so I suspect something has gone amiss here - @d3r3kk to triage.

[d3r3kk]

Hello @kropiwnickij thank you for the report.

Please do note that the vulnerabilities you have discovered are handled by the Mariner team and not by the OpenJDK team. As @karianna said above, the OpenJDK team refreshes our images weekly to ensure we pick up the latest fixes from the Mariner team. Unless a vulnerability pertains to the OpenJDK itself, or any of its dependencies, we must pass the issue on to the Mariner team.

To be thorough and to learn myself what the concerns were and how to resolve them, I found the following that you may find helpful.

---

krb5 Vulnerability

For krb5 the link you gave us for the vulnerability being fixed says (at the top):

"Reverted" krb5 1.21.3 to 1.19.4. Epoch bumped for "upgrade" continuity (that is 1.21.3 upgrades to 1.19.4). This change was to resolve an issue with krb5 where powershell's ssh woiuld hang during authentication. These CVE's were also patched in the 1.19.4 version GHSA-8wpj-v5qv-3wf4 and GHSA-wvrw-2fv8-cjvx. Note that these were also fixed in the 1.21.3 version.
(Note the 1.19.4 patches were applied)

...and then lower down, the line:

Patch krb5 to fix GHSA-qp5h-mm28-4jq3 and GHSA-jc8v-q399-gfq9

tells me that the CVEs mentioned above are actually fixed in the Mariner repository.

To be certain, doing tdnf info krb5 --installed in a running 21-mariner container results in showing:

root [ / ]# tdnf info krb5 --installed
Loaded plugin: tdnfrepogpgcheck
Name          : krb5
Arch          : x86_64
Epoch         : 0
Version       : 1.19.4
Release       : 3.cm2
Install Size  :   3.32M (3485624)
Repo          : @System
Summary       : The Kerberos newtork authentication system
URL           : https://web.mit.edu/kerberos/
License       : MIT
Description   : Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.


Total Size:   3.32M (3485624)

curl Vulnerability

Fixed here: microsoft/azurelinux#10731
Installed as of this morning:

root [ / ]# tdnf info curl --installed
Loaded plugin: tdnfrepogpgcheck
Name          : curl
Arch          : x86_64
Epoch         : 0
Version       : 8.8.0
Release       : 3.cm2
Install Size  : 360.37k (369023)
Repo          : @System
Summary       : An URL retrieval utility and library
URL           : https://curl.haxx.se
License       : curl
Description   : The cURL package contains an utility and a library used for
transferring files with URL syntax to any of the following
protocols: FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET,
DICT, LDAP, LDAPS and FILE. Its ability to both download and
upload files can be incorporated into other programs to support
functions like streaming media.


Total Size: 360.37k (369023)

nghttp2 Vulnerability

Fixed here: microsoft/azurelinux#10656
Installed as of this morning:

root [ / ]# tdnf info nghttp2 --installed
Loaded plugin: tdnfrepogpgcheck
Name          : nghttp2
Arch          : x86_64
Epoch         : 0
Version       : 1.57.0
Release       : 2.cm2
Install Size  : 285.78k (292641)
Repo          : @System
Summary       : nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
URL           : https://nghttp2.org
License       : MIT
Description   : Implementation of the Hypertext Transfer Protocol version 2 in C.


Total Size: 285.78k (292641)

[kropiwnickij]

@d3r3kk that you for explanation.

Looking at one of CVE seems that it was solved in 1.19.4 patch in mariner, but as per NVD newer one as 1.21.3 is expected - this causes incorrect scan results.

As first report shows:
1.19.4-3.cm2 | fixed in 1.21.3-1

How do you propose to approach this case? Should this be reported to Mariner team to upgrade to latest krb version?

Regards
Jan

[d3r3kk]

@kropiwnickij, thanks for your attention.

How do you propose to approach this case? Should this be reported to Mariner team to upgrade to latest krb version?

Yes, if it doesn't pertain directly to the OpenJDK itself, or the tools, libraries, and direct dependencies it adds to the image, then it goes to the Mariner team.