ALAS2-2021-1731 about corretto-docker HOT 7 CLOSED

@yishaigalatzer I understand that we could safely proceed with the Corretto base image, we do not use log4j in our images. However our organization's security architects do not allow us to deploy to production if the ECR image scan shows critical vulnerabilities.

Applying (installing) the hotpatch directly does not solve the ECR image scan critical vulnerability. The corretto package will still come up as a vulnerability because the version is flagged to contain the CVE.

I can understand from your perspective that the hotpatch is not needed inside the docker image. However it is weird, and blocking us, that the official docker Corretto image is flagged by ECR image scan with a critical vulnerability..

from corretto-docker.

hi, @codingtim,

Would it be possible to use the "-3" version of the package so the security issue is no longer present?
yes, it will. I will update the dockerfile for al2 shortly.

From 17.0.1.12-1 to 1:17.0.1+12-3.amzn2.1, we add hotpatcher as dependency.

• Add requires for log4j CVE-2021-44228 static mitigation

from corretto-docker.

hi, @codingtim
Rolling out a new release takes time. I inspect the code; 17.0.1+12-3 only adds log4j-cve-2021-44228-cve-mitigations as a dependency and it doesn't take effect inside of docker. Is that possible you ignore this specific "critical" issue in deployment? It would unblock you.

Meanwhile, we are working on a solution for this.

from corretto-docker.

@navyxliu
It is unfortunate that ALAS2-2021-1731 was logged as critical, or even logged at all, as there is no security issue inside the corretto JVM. As we have no way to change that we hope that the new 17.0.1+12-3 version with extra dependency can be used in the image.

I understand that the release will take some time. We will wait for now with our production release. If we need to hotfix something we will look into disabling the quality gate.

Thank you for you swift responses.

from corretto-docker.

@codingtim we suggest that for now you can proceed with the Corretto image assuming you have either fixed any lingering log4j issue in your code, or can apply the hotpatch directly.

We decided previously not to include the hotpatch in the base corretto image, and will work on what our path forward is.

Does this unblock you?

from corretto-docker.

@codingtim We try very hard to deliver an exceptional customer experience, and we realize that this is causing an issue for you. We apologize for this inconvenience. I just wanted to thank you for reporting the issue and let you know what we're doing.

As a result of the efforts that took place responding to the log4j CVEs over the last couple of weeks, the issue you identified in this thread arose. It was an unintended side effect of trying to deliver the best possible customer experience to our AL2 customers. In doing so, as you already know, the ECR image scan reported (an erroneous) alarm for AL2/Corretto Docker images. We will post a notice under the Security section of the github ECR home page shortly to help any other users that may be impacted by the same issue. We are scheduled to deliver our quarterly Corretto release in January, and when that release is posted to our repository its version number will satisfy the ECR image scan, and this issue will be resolved (the ECR image scan will no longer report an error).

Thank you, @codingtim, for bringing this issue to our attention. We very much appreciate it.

from corretto-docker.

This issue is resolved with the January release.

from corretto-docker.