padma81 opened a new issue #2387: URL: https://github.com/apache/bookkeeper/issues/2387
**BUG REPORT** A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image. |**Component**|**Current Version**|**CVE**|**Severity**|**Version to be upgraded to**|**References**| |-----|----|----|----|-----|-----| |Apache log4j|1.2.17|CVE-2017-5645|CRITICAL|2.8.2|https://nvd.nist.gov/vuln/detail/CVE-2017-5645| |Apache log4j|1.2.17|CVE-2019-17571|CRITICAL|2.8.2|https://nvd.nist.gov/vuln/detail/CVE-2019-17571<br/>https://logging.apache.org/log4j/1.2/index.html| |Java Platform Standard Edition (JRE) (J2RE)|8u102|CVE-2016-5556|CRITICAL|8u241| | |Java Platform Standard Edition (JRE) (J2RE)|8u102|CVE-2016-5568|CRITICAL|8u241| | |Java Platform Standard Edition (JRE) (J2RE)|8u102|CVE-2016-5582|CRITICAL|8u241| | |Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server|9.4.5.v20170502|CVE-2017-7657|CRITICAL|9.4.11|https://www.eclipse.org/jetty/security-reports.html| |Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server|9.4.5.v20170502|CVE-2017-7658|CRITICAL|9.4.11|https://www.eclipse.org/jetty/security-reports.html| |Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server|9.4.5.v20170502|CVE-2018-12538|CRITICAL|9.4.11|https://www.eclipse.org/jetty/security-reports.html| |Netty Project|3.10.1.Final|CVE-2019-20444|CRITICAL|4.1.44.Final|https://github.com/netty/netty/issues/9866<br/>https://github.com/netty/netty/milestone/218?closed=1| |Netty Project|3.10.1.Final|CVE-2019-20445|CRITICAL|4.1.44.Final|https://github.com/netty/netty/issues/9861<br/>https://github.com/netty/netty/milestone/218?closed=1| |OpenLDAP|2.4.44|CVE-2019-13565|HIGH|2.4.48|https://access.redhat.com/security/cve/CVE-2019-13565<br/>https://bugzilla.redhat.com/show_bug.cgi?id=1730477<br/>https://www.openldap.org/lists/openldap-announce/201907/msg00001.html| |Python programming language|2.7.5|CVE-2018-14647|HIGH|2.7.5-86.el7.x86_64|https://access.redhat.com/security/cve/CVE-2018-14647<br/> https://access.redhat.com/errata/RHSA-2019:2030| |Python programming language|2.7.5|CVE-2019-10160|CRITICAL|2.7.5-80.el7_6.x86_64|https://access.redhat.com/security/cve/CVE-2019-10160<br/>https://access.redhat.com/errata/RHSA-2019:1587| |Python programming language|2.7.5|CVE-2019-16056|HIGH|2.7.5-88.el7.x86_64|https://access.redhat.com/security/cve/CVE-2019-16056<br/>https://access.redhat.com/errata/RHSA-2020:1131| |Python programming language|2.7.5|CVE-2019-5010|HIGH|2.7.5-86.el7.x86_64|https://access.redhat.com/security/cve/CVE-2019-5010<br/>https://access.redhat.com/errata/RHSA-2019:2030| |Python programming language|2.7.5|CVE-2019-9948|CRITICAL|2.7.5-86.el7 |https://access.redhat.com/security/cve/CVE-2019-9948<br/>https://access.redhat.com/errata/RHSA-2019:2030| |avahi|0.6.31|CVE-2017-6519|CRITICAL|0.6.31-20.el7.x86_64|https://access.redhat.com/security/cve/CVE-2017-6519<br/>https://access.redhat.com/errata/RHSA-2020:1176| |elfutils|0.176|CVE-2018-16402|CRITICAL|0.176-2.el7|https://access.redhat.com/security/cve/CVE-2018-16402<br/>https://access.redhat.com/errata/RHSA-2019:2197| |jackson-databind|2.9.7|CVE-2018-19360|CRITICAL|2.9.8|https://nvd.nist.gov/vuln/detail/CVE-2018-19360<br/>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8| | |jackson-databind|2.9.7|CVE-2018-19361|CRITICAL|2.9.8|https://nvd.nist.gov/vuln/detail/CVE-2018-19361<br/>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8| |jackson-databind|2.9.7|CVE-2018-19362|CRITICAL|2.9.8|https://nvd.nist.gov/vuln/detail/CVE-2018-19362<br/>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8| |jackson-databind|2.9.7|CVE-2019-14379|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14379<br/>https://github.com/FasterXML/jackson-databind/issues/2387| |jackson-databind|2.9.7|CVE-2019-14540|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14540<br/>https://github.com/FasterXML/jackson-databind/issues/2410| |jackson-databind|2.9.7|CVE-2019-14892|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14892<br/>https://github.com/FasterXML/jackson-databind/issues/2462| |jackson-databind|2.9.7|CVE-2019-14893|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14893<br/>https://github.com/FasterXML/jackson-databind/issues/2469| |jackson-databind|2.9.7|CVE-2019-16335|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-16942<br/>https://github.com/FasterXML/jackson-databind/issues/2478| |jackson-databind|2.9.7|CVE-2019-16942|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-16942<br/>https://github.com/FasterXML/jackson-databind/issues/2478| |jackson-databind|2.9.7|CVE-2019-16943|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-16943<br/>https://github.com/FasterXML/jackson-databind/issues/2478| |jackson-databind|2.9.7|CVE-2019-17267|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-17267<br/>https://github.com/FasterXML/jackson-databind/issues/2460| |jackson-databind|2.9.7|CVE-2019-17531|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-17531<br/>https://github.com/FasterXML/jackson-databind/issues/2498| |jackson-databind|2.9.7|CVE-2019-20330|CRITICAL|2.9.10.2|https://nvd.nist.gov/vuln/detail/CVE-2019-20330<br/>https://github.com/FasterXML/jackson-databind/issues/2526| |jackson-databind|2.9.7|CVE-2020-8840|CRITICAL|2.9.10.3|https://nvd.nist.gov/vuln/detail/CVE-2020-8840<br/>https://github.com/FasterXML/jackson-databind/issues/2620| |systemd|219|CVE-2018-15686|CRITICAL|219-67.el7_7.4|https://access.redhat.com/security/cve/CVE-2018-15686<br/>https://access.redhat.com/errata/RHSA-2019:2091| |systemd-libs|219|CVE-2018-15686|CRITICAL|219-67.el7_7.4|https://access.redhat.com/security/cve/CVE-2018-15686<br/>https://access.redhat.com/errata/RHSA-2019:2091| Steps to reproduce the behavior: 1. Scan the apache/bookkeeper:4.9.2 with the help of a security scanner. ***Expected behavior*** The scanner should not report any vulnerabilities, that are already fixed. ***Screenshots*** NA ***Additional context*** NA ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
