Hi all,
We have a set of containerized Lucee instances that we run on AWS in ECS. When we upload our images to ECR, we get 50+ “critical” vulnerabilities that are identified in the ECR container scanning. It looks like most of these are related back to com.fasterxml.jackson.core:jackson-databind 2.3.3 which is found in the opt/lucee/server/lucee-server/bundles/org.lucee.ehcache-2.10.3.jar path. I think the Hibernate extension is pulling in EHCache, but I’m not sure.
https://nvd.nist.gov/vuln/detail/CVE-2018-19361
Any ideas on how to remediate this?
Thanks!
Dylan