Numerous security vulnerability when the image is sanned

[NeelabhKher]

I need help with security vulnerabilities . We ran scan with Aqua Sec SaaS offering on the latest Image on Docker : https://hub.docker.com/r/jboss/kie-server-showcase/tags?page=1&ordering=last_updated and below are the detailed finding for Security vulnerabilities.

1. CVE-2016-2141 : JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors. Installed Resource jgroups 3.6.14.Final.
2. CVE-2019-10158 : A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. Installed Resource
   infinispan-core 9.4.18.Final.
3. CVE-2018-1000134 : UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix pingidentity/ldapsdk@8471904#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.
   Installed Resource
   unboundid-ldapsdk 3.2.0
   Published by NVD
   2018-03-16
   4.CVE-2019-20445 : HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. Installed Resource netty 3.10.6.Final.
4. CVE-2018-8088 : org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. Installed Resource slf4j-ext 1.7.22.jbossorg-1
5. CVE-2017-12629 : Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. Installed Resourcelucene-core 6.6.1
   7.CVE-2019-20444: HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.".Installed Resource
   netty 3.10.6.Final. This applicable to lucene core, lucene-queryparser 6.6.1 and

Any direction to mitigate them or mitigate in next release will be help ful.

[NeelabhKher]

@mbiarnes any guidance is highly appreciated

[mbiarnes]

@NeelabhKher All deps are coming from wars. These wars (with deps) are downloaded from kiegroups/ to create the docker images.
We are supervising the used versions by different applications. Some dependencies can't be updated like this by different reasons.
Please wait until we have the new version 7.55.0.Final.

[mpsz76]

This impacts us still 7.55.0 version and being flagged by X-Ray Vulnerability Scanning.

[NeelabhKher]

Does it even impact the 7.56 version ?

[mpsz76]

Yes still impacts the 7.56 version. I'm thinking it's something with the current Wildfly version used.

[NeelabhKher]

thanks for information

[NeelabhKher]

Any update on this one ?

[mbiarnes]

@NeelabhKher HI - I would scan again. Because I think many version have been updated in the meantime.

[mpsz76]

In my use case, this is getting scanned against JFrog X-Ray vulnerability scanning. Here are the critical issues that pop up.

CVE-2016-2141 Critical | CVE-2016-2141 | org.jgroups:jgroups:3.3.4.Final
CVE-2018-1000134 | com.unboundid:unboundid-ldapsdk:3.2.0
CVE-2017-12629 | org.apache.lucene:lucene-queryparser / 6.6.1
CVSS V3: 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Lxml unspecified encoded path traversal remote file write |
CVE-2017-1000158 | Cpython (aka python) up to 2.7.13 is vulnerable to an integer overflow
CVE-2017-7465 | xalan | It was found that the jaxp implementation used in jboss eap 7.0 for xslt processing is vulnerable to code injection
CVSS V3: 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| io.fabric8:kubernetes-client | Fabric8 kubernetes-client contains a flaw that allows traversing outside of a restricted path. the issue is due to the podoperationsimpl::copydir() function in

This was ran on version 7.62 on the image available from Quay

[mbiarnes]

@NeelabhKher @mpsz76 Hi, would be nice if you guys can advise which versions have no vulnerability.
i.e. com.unboundid:unboundid-ldapsdk:3.2.0 -- com.unboundid:unboundid-ldapsdk:???
There are some dependencies coming from EAP7 - this we can't change.

[mpsz76]

In my situation, the company did not scan intranet applications until January 2021. Currently, on 7.37 which was not scanned. The first scan was on 7.54 which has the same vulnerabilities as listed above.