You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After detailed investigation for Docker container vulnerabilities reported under microsoft/openjdk-docker#113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.
The challenge is security scanners compare package version from NVD:
Known Affected Software Configurations
Up to (excluding)
1.21.3
to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:
Version : 1.19.4
Release : 3.cm2
Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.
We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.
Regards
Jan
The text was updated successfully, but these errors were encountered:
We're working with scanning vendors to get this false positive corrected. You're right in that it's patched already, but it may take some time for the tooling to resolve correctly.
Dear Team,
After detailed investigation for Docker container vulnerabilities reported under microsoft/openjdk-docker#113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.
When we look at discovered CVE https://nvd.nist.gov/vuln/detail/cve-2024-37371 - NVD provides solution with higher version as mentioned "In MIT Kerberos 5 (aka krb5) before 1.21.3".
When we check details this specific CVE have been already resolved in patches mentioned by @d3r3kk in microsoft/openjdk-docker#113 (comment).
The challenge is security scanners compare package version from NVD:
Known Affected Software Configurations
Up to (excluding)
1.21.3
to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:
Version : 1.19.4
Release : 3.cm2
Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.
We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.
Regards
Jan
The text was updated successfully, but these errors were encountered: