[ https://issues.apache.org/jira/browse/ZOOKEEPER-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500542#comment-17500542 ]
Mate Szalay-Beko edited comment on ZOOKEEPER-4484 at 3/3/22, 7:14 AM: ---------------------------------------------------------------------- As far as I know, Apache ZooKeeper community does not maintain any "official docker image". Personally I don't know who is working on this (and don't know why they never sync with our Apache community), but we can not change these images and these Dockerfiles are not part of the artifacts we build/test/support. was (Author: symat): Apache ZooKeeper community does not maintain any "official docker image". Personally I don't know who is working on this (and don't know why they never sync with our Apache community), but we can not change these images and these Dockerfiles are not part of the artifacts we build/test/support. > Critical Security Vulnerabilities in Apache Zookeper image > ---------------------------------------------------------- > > Key: ZOOKEEPER-4484 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4484 > Project: ZooKeeper > Issue Type: Bug > Affects Versions: 3.7.0 > Reporter: Debanjan Bhowmick > Priority: Critical > Attachments: > 0-02-03-43ecbd3105b8acb3dabd52683aac076b818c698c721c89070024677252b5a017_1c6da8c1746854.png > > > We have found this below list of CRITICAL Security vulnerabilties present in > the official zookeper image - > ||Vulnerability ID||Component||Infected versions||Fixed versions|| > |CVE-2021-33574|debian:bullseye:libc6:2.31-13+deb11u2|N/A|N/A| > |XRAY-179837|io.netty:netty-codec:4.1.59.Final|< 4.1.66.Final|4.1.66.Final| > |CVE-2022-23307|log4j:log4j:1.2.17|All Versions|N/A| > |CVE-2019-17571|log4j:log4j:1.2.17|≤ 1.2.17|N/A| > |CVE-2022-23305|log4j:log4j:1.2.17|1.1.0 ≤ Version ≤ 1.2.17|N/A| > |CVE-2022-23219|debian:bullseye:libc6:2.31-13+deb11u2|N/A|N/A| > |CVE-2022-23218|debian:bullseye:libc6:2.31-13+deb11u2|N/A|N/A| > Can you please help us with the fix or update us on the release of security > patches and also their respective timelines. > -- This message was sent by Atlassian Jira (v8.20.1#820001)