topic Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy in Alfresco Forum

Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

jego — Mon, 01 Nov 2021 14:29:40 GMT

We are using the provided alfresco enterprise containers to deploy Alfresco in the Azure Kubernetes Cluster.

In terms of container security we are using trivy to scan the images for vulnerabilities.

We have used trivy to scan the acs image in version 7.0.1 with following command:

trivy -d quay.io/alfresco/alfresco-content-repository:7.0.1

The result is:

quay.io/alfresco/alfresco-content-repository:7.0.1 (centos 8.4.2105)
====================================================================
Total: 337 (UNKNOWN: 0, LOW: 139, MEDIUM: 178, HIGH: 16, CRITICAL: 4)

Even the new Alfresco Content repository 7.1.0 image has several known security issues, even more than the older version.

quay.io/alfresco/alfresco-content-repository:7.1.0 (centos 7.9.2009)
====================================================================
Total: 810 (UNKNOWN: 0, LOW: 410, MEDIUM: 389, HIGH: 9, CRITICAL: 2)

Fun fact: For the newer version of acs there is a os-downgrade to centos 7.9 (instead of centos 8.4 in acs-7.0.1), so it would explain the higher number of issues.

For me these results are not acceptable as we need to deploy a docker container of an Enterprise software on a customer platform with high and critical issues.

@angelborroy : Do you know more about the process behind docker container updates and fixing security issues? Do you already scan your docker images for security issues? Do you know where to submit these issues- In the github project https://github.com/Alfresco/acs-packaging/ or as support ticket?

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

abhinavmishra14 — Mon, 01 Nov 2021 20:12:49 GMT

In general, you can open issue here: https://github.com/Alfresco/acs-packaging/

@amanda_roberts or @angelborroy May be able to direct you to a correct channel to open the ticket with support and followups.

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

angelborroy — Tue, 02 Nov 2021 08:37:45 GMT

Thanks for the detailed report, Jens.

We are using different tools in order to identify vulnerabilities in our Docker Images. This process is proactively used for every release, but there may be something we're missing.

Let me verify the impact of the vulnerabilities identified by Trivy and I'll be back with additional information.

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

jego — Tue, 02 Nov 2021 09:28:24 GMT

I have also created a support case - thenumber is 00556732- maybe you can have a look into it because there are some answers already from Scott.

Thx

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

angelborroy — Tue, 02 Nov 2021 10:07:59 GMT

Great @jego

I'll follow this case.

Since we are using different vulnerability tools, I guess we should need to identify those reports from Trivy.

Additionally, the move to CentOS 8 to CentOS 7 was related with CentOS 8 EOL for December 2021:

https://www.centos.org/centos-linux-eol/