We have a set of containerized Lucee instances that we run on AWS in ECS. When we upload our images to ECR, we get 50+ “critical” vulnerabilities that are identified in the ECR container scanning. It looks like most of these are related back to com.fasterxml.jackson.core:jackson-databind 2.3.3 which is found in the opt/lucee/server/lucee-server/bundles/org.lucee.ehcache-2.10.3.jar path. I think the Hibernate extension is pulling in EHCache, but I’m not sure.
Any ideas on how to remediate this?