[
https://issues.apache.org/jira/browse/ZOOKEEPER-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500542#comment-17500542
]
Mate Szalay-Beko commented on ZOOKEEPER-4484:
---------------------------------------------
Apache ZooKeeper community does not maintain any "official docker image".
Personally I don't know who is working on this (and don't know why they never
sync with our Apache community), but we can not change these images and these
Dockerfiles are not part of the artifacts we build/test/support.
> Critical Security Vulnerabilities in Apache Zookeper image
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-4484
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4484
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.7.0
> Reporter: Debanjan Bhowmick
> Priority: Critical
> Attachments:
> 0-02-03-43ecbd3105b8acb3dabd52683aac076b818c698c721c89070024677252b5a017_1c6da8c1746854.png
>
>
> We have found this below list of CRITICAL Security vulnerabilties present in
> the official zookeper image -
> ||Vulnerability ID||Component||Infected versions||Fixed versions||
> |CVE-2021-33574|debian:bullseye:libc6:2.31-13+deb11u2|N/A|N/A|
> |XRAY-179837|io.netty:netty-codec:4.1.59.Final|< 4.1.66.Final|4.1.66.Final|
> |CVE-2022-23307|log4j:log4j:1.2.17|All Versions|N/A|
> |CVE-2019-17571|log4j:log4j:1.2.17|≤ 1.2.17|N/A|
> |CVE-2022-23305|log4j:log4j:1.2.17|1.1.0 ≤ Version ≤ 1.2.17|N/A|
> |CVE-2022-23219|debian:bullseye:libc6:2.31-13+deb11u2|N/A|N/A|
> |CVE-2022-23218|debian:bullseye:libc6:2.31-13+deb11u2|N/A|N/A|
> Can you please help us with the fix or update us on the release of security
> patches and also their respective timelines.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
