All, Just an FYI….
Today, our vulnerability scanners started alerting us to this CVE when we pulled the Official Tomcat image. I have opened a ticket with docker-library-tocmat to see if they can rebuild the images, as this was address in the OpenJDK layer. After I sorted that out, I wondered if TomEE was vulnerable as well. The good news is we are not. The difference is Tomcat is build OpenJDK’s JDK and we use the JRE. It would seem the affecting library, libbsd0, is not found on the JRE. Again, there is nothing for us to do, but I thought you may all want to be aware. If you have any questions, please reach out. Thanks, Rod. PS: It is not lost on me that it is a fairly old vulnerability. I am not sure why it started to notify us today, something else I will have to research.