Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove K8S_MEMBERSHIP_SCHEME_VERSION to Address Jackson-databind Vulnerabilities in Docker Images #426

Merged
merged 3 commits into from
Aug 7, 2024
Merged

Remove K8S_MEMBERSHIP_SCHEME_VERSION to Address Jackson-databind Vulnerabilities in Docker Images #426

merged 3 commits into from
Aug 7, 2024

Conversation

BimsaraBodaragama
Copy link
Member

Purpose

This PR addresses the security vulnerabilities related to the jackson-databind library in the WSO2 Identity Server Docker images by removing K8S_MEMBERSHIP_SCHEME_VERSION.

Goals

Resolve the identified security vulnerabilities by eliminating the dependency on outdated versions of kubernetes-common.

Approach

  1. Verified the vulnerability in versions 1.0.9 and 1.0.10 of kubernetes-common and identified that version 1.0.11 uses a secure jackson-databind version.
  2. Cloned the wso2/docker-is repository and identified the usage of K8S_MEMBERSHIP_SCHEME_VERSION.
  3. Removed the K8S_MEMBERSHIP_SCHEME_VERSION from relevant Dockerfiles.
  4. Built and tested the updated Docker images in a Kubernetes environment to ensure no disruption in functionality.

Test environment

  • JDK Versions: JDK 11
  • Operating Systems: Ubuntu 20.04 (VM)
  • Databases: MySQL
  • Kubernetes: Minikube
  • Browsers: Chrome

@bhagyasakalanka
Copy link
Contributor

bhagyasakalanka commented Aug 6, 2024
edited
Loading

Have we test this locally? @BimsaraBodaragama

@BimsaraBodaragama
Copy link
Member Author

Have we test this locally? @BimsaraBodaragama

Tested on Ubuntu.

@bhagyasakalanka bhagyasakalanka merged commit 06b7a42 into wso2:6.0.x Aug 7, 2024
1 check passed
@BimsaraBodaragama BimsaraBodaragama self-assigned this Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bhagyasakalanka bhagyasakalanka bhagyasakalanka approved these changes

@VivekVinushanth VivekVinushanth Awaiting requested review from VivekVinushanth

Assignees

@BimsaraBodaragama BimsaraBodaragama

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BimsaraBodaragama @bhagyasakalanka