Thanks for the update Rod! > PS: It is not lost on me that it is a fairly old vulnerability. I am not sure why it started to notify us today, something else I will have to research.
I tend to get duplicate notifications when CVEs are updated. Looks like there have been some recent-ish updates to this CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-20367#VulnChangeHistorySection Jon On Thu, Apr 1, 2021 at 5:06 AM Jenkins, Rodney J (Rod) < jenki...@nationwide.com> wrote: > All, > > Just an FYI…. > > Today, our vulnerability scanners started alerting us to this CVE when we > pulled the Official Tomcat image. I have opened a ticket with > docker-library-tocmat to see if they can rebuild the images, as this was > address in the OpenJDK layer. After I sorted that out, I wondered if TomEE > was vulnerable as well. The good news is we are not. The difference is > Tomcat is build OpenJDK’s JDK and we use the JRE. It would seem the > affecting library, libbsd0, is not found on the JRE. > > Again, there is nothing for us to do, but I thought you may all want to be > aware. > > If you have any questions, please reach out. > > Thanks, > Rod. > > > PS: It is not lost on me that it is a fairly old vulnerability. I am not > sure why it started to notify us today, something else I will have to > research. >