Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenJDK 21.0.5 Vulnerability CVE-2025-21502 in Distroless Image #1745

Open
Harguer opened this issue Jan 29, 2025 · 4 comments
Open

OpenJDK 21.0.5 Vulnerability CVE-2025-21502 in Distroless Image #1745

Harguer opened this issue Jan 29, 2025 · 4 comments

Comments

@Harguer
Copy link

Harguer commented Jan 29, 2025

Describe the bug
Hello!
We are encountering a security vulnerability in the OpenJDK 21.0.5 version of the Google Distroless Java base image. Our nightly vulnerability scans flagged CVE-2025-21502 as present in OpenJDK 21.0.5, and it appears that a fix is now available in later versions (21.0.6, 17.0.14, 11.0.26, etc.).

Scan Output:

NAME     INSTALLED      FIXED-IN                                              TYPE    VULNERABILITY   SEVERITY 
openjdk  21.0.5+11-LTS  1.8.0_441, 11.0.26, 17.0.14, 21.0.6, 23.0.2, 8.0.441  binary  CVE-2025-21502  Medium

Vulnerability Details:

  • Package: openjdk

  • Version: 21.0.5+11-LTS

  • Fixed in: 21.0.6

  • CVE ID: CVE-2025-21502

  • Severity: Medium

To Reproduce

run grype scan

Expected behavior

Could you confirm when the updated OpenJDK 21.0.6 version will be available in the distroless images? We understand that GCP commits to updating within 48 hours of a fix being available, but it does not appear to have been addressed yet.

Console Output
If applicable, add information from your container run

Additional context
Add any other context about the problem here.
@Harguer
Copy link
Author

Harguer commented Feb 3, 2025

Hello!
I'm still seeing the issue, I was wondering if you have any update on this. Thanks in advance.

$ grype gcr.io/distroless/java21-debian12
 ✔ Parsed image                                                                                                                                                                                     sha256:4ab426c46a884c25e1943d195cbe7b188cf67d3235e3f9a49db52b5f30a9dfcb
 ✔ Cataloged contents                                                                                                                                                                                      6f5560b7e7af7f65fafc18e4df4bf00b608bab92c1ae11f18c0944ed7e0119a7
   ├── ✔ Packages                        [20 packages]
   ├── ✔ File digests                    [1,629 files]
   ├── ✔ File metadata                   [1,629 locations]
   └── ✔ Executables                     [331 executables]
 ✔ Scanned for vulnerabilities     [20 vulnerability matches]
   ├── by severity: 1 critical, 1 high, 2 medium, 0 low, 15 negligible (1 unknown)
   └── by status:   1 fixed, 19 not-fixed, 0 ignored
NAME         INSTALLED         FIXED-IN                                              TYPE    VULNERABILITY     SEVERITY
libc6        2.36-9+deb12u9                                                          deb     CVE-2019-9192     Negligible
libc6        2.36-9+deb12u9                                                          deb     CVE-2019-1010025  Negligible
libc6        2.36-9+deb12u9                                                          deb     CVE-2019-1010024  Negligible
libc6        2.36-9+deb12u9                                                          deb     CVE-2019-1010023  Negligible
libc6        2.36-9+deb12u9                                                          deb     CVE-2019-1010022  Negligible
libc6        2.36-9+deb12u9                                                          deb     CVE-2018-20796    Negligible
libc6        2.36-9+deb12u9                                                          deb     CVE-2010-4756     Negligible
libc6        2.36-9+deb12u9    (won't fix)                                           deb     CVE-2025-0395     Unknown
libexpat1    2.5.0-1+deb12u1   (won't fix)                                           deb     CVE-2023-52425    High
libexpat1    2.5.0-1+deb12u1   (won't fix)                                           deb     CVE-2024-50602    Medium
libexpat1    2.5.0-1+deb12u1                                                         deb     CVE-2024-28757    Negligible
libexpat1    2.5.0-1+deb12u1                                                         deb     CVE-2023-52426    Negligible
libgcc-s1    12.2.0-14                                                               deb     CVE-2023-4039     Negligible
libgcc-s1    12.2.0-14                                                               deb     CVE-2022-27943    Negligible
libpng16-16  1.6.39-2                                                                deb     CVE-2021-4214     Negligible
libstdc++6   12.2.0-14                                                               deb     CVE-2023-4039     Negligible
libstdc++6   12.2.0-14                                                               deb     CVE-2022-27943    Negligible
libuuid1     2.38.1-5+deb12u3                                                        deb     CVE-2022-0563     Negligible
openjdk      21.0.5+11-LTS     1.8.0_441, 11.0.26, 17.0.14, 21.0.6, 23.0.2, 8.0.441  binary  CVE-2025-21502    Medium
zlib1g       1:1.2.13.dfsg-1   (won't fix)                                           deb     CVE-2023-45853    Critical
$

@loosebazooka
Copy link
Member

Yeah sorry, this is handled here: #1742, I'll need to retrigger the CI

@loosebazooka
Copy link
Member

okay this should go live in 2-3 hours

@Harguer
Copy link
Author

Harguer commented Feb 3, 2025

@loosebazooka thanks a lot for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@loosebazooka @Harguer