Ehcache extension adds 22 critical vulnerabilities to docker image

dev
1

Hi
I just pushed a docker image to Docker hub. The only change from our previous image is adding Lucee’s Ehcache extension.

The base Lucee version is 5.4.4.38, and the Ehcache extension version is 2.10.0.25.

Docker is reporting this back to me:

image

Where the “22” is the count of critical vulnerabilities that have been added to the image. The 36 is the “high” ones (which we’re not that concerned about).

Note that 2.10.0.25 is the latest “non-snapshot” version of this extension, according to Lucee Admin.

The good news is that Docker’s analysis claims that every single one of the criticals (and most/all of the highs) are fixable on more recent versions of a Jackson and Jetty lib, included with Ehcache.

I guess I have some reading to do to work out whether we’re vulnerable to any of this lot (I am suspecting not), but figured you bods should know.

Also… what needs to happen before those “snapshot” builds get marked as “production ready” and accordingly lose the `-snapshot" suffix?

image

Is the 2023-12-15 date there the date of the 2.10.0.25 version, or the latest “snapshot”?

NB: not giving anyone the hurry-up; I just figured the info / questions are worth raising.

Cheers.


Adam

2

Ooh I just noticed that amidst all the snapshots is 2.10.0.36.

I will try that, and report back with any change.

I wonder if there’s any real point in listing out of date snapshot versions there? Kinda buries the lede a bit?

3

Good news.

image
image784×290 18.3 KB

1.38RC is running 2.10.0.36, and RC2 is running 2.10.0.37-SNAPSHOT

So no exposed criticals; and the diff in the high-level ones seems to be yet more issues with the Jackson lib (all fixed apparently though). I did not immediately spot where the new mediums come from.

I’ll bump us to 2.1.0.36 and that will keep our infosec bods happy.

2 Likes
4

Yeah, the EH cache extension needs a serious upgrade to the next major version, it’s a question of resources.

For Lucee 7, we will actually unbundle it (which doesn’t help with that CVE problem) Jira as it’s huge and counts for 20mb of the 90mb far jar! (which is the multiplied on disk when deployed)

image
image1178×724 68.4 KB

The reason the non snapshot versions suddenly appeared is that as part of our release process, i.e. 6.2.0.321, any bundled snapshots are published as stable

1 Like