Hello Sokratis, hi Software Collections team, I am writing to you because you are listed as maintainer of the Apache HTTP 2.4 [Sokratis] and JBoss Web Server 5.5 (OpenJDK8) on UBI 8 [sclorg] images.
My customer Bosch raised a security issue about Red Hat Container images in the Red Hat Container Catalog [1]. In short, software packages in Red Hat Container images are not updated according CVE recommendations and/or do not contain the required CVE information. Two examples from the customer's SRE team: *Apache HTTP 2.4.x * The CVE-2021-36160 [2] describes that Apache HTTP Server versions 2.4.30 to 2.4.48 are impacted. The current Red Hat Apache HTTP 2.4 image [3] (1-156, latest, 7 day old) contain httpd 2.4.37 and also does not indicate the CVE-2021-36160 *JBoss Web Server 5.5 (OpenJDK8) on UBI 8* The CVE-2021-29425 [4] describes that Apache Commons IO before 2.7 are impacted. The current JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image [5] (1.0-51627017160 latest, 2 month old) still contains Apache-commons-io 2.6 also does not indicate the CVE-2021-29425. The customer's SRE team must respond to the Bosch CERT Advisory and is requesting the following information: 1. In both examples, are the CVE not fixed yet? 2. CVE-2021-36160 is moderate [6], but the Red Hat Container Catalog does not show any information. Is there any reason? 3. CVE-2021-29425 seems to be fixed for Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 but not for the JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image, but the Red Hat Container Catalog does not show any information. Is there any reason? Please let me also when I misinterpreted the CVE data on the Red Hat Container Catalog. Thank you, Stefan [1] https://catalog.redhat.com/software/containers/search [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160 [3] https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425 [5] https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security [6] https://access.redhat.com/security/cve/CVE-2021-36160
_______________________________________________ SCLorg mailing list SCLorg@redhat.com https://listman.redhat.com/mailman/listinfo/sclorg