Docker security announcements
Text4Shell CVE-2022-42889
Last updated October 2022
CVE-2022-42889open_in_new has been discovered in the popular Apache Commons Text library. Versions of this library up to but not including 1.10.0 are affected by this vulnerability.
We strongly encourage you to update to the latest version of Apache Commons Textopen_in_new.
Scan images on Docker Hub
Docker Hub security scans triggered after 1200 UTC 21 October 2021 are now correctly identifying the Text4Shell CVE. Scans before this date do not currently reflect the status of this vulnerability. Therefore, we recommend that you trigger scans by pushing new images to Docker Hub to view the status of the Text4Shell CVE in the vulnerability report. For detailed instructions, see Scan images on Docker Hub.
Docker Official Images impacted by CVE-2022-42889
A number of Docker Official Images contain the vulnerable versions of Apache Commons Text. The following lists Docker Official Images that may contain the vulnerable versions of Apache Commons Text:
- bonitaopen_in_new
- Couchbaseopen_in_new
- Geonetworkopen_in_new
- neo4jopen_in_new
- sliverpeas]( https://hub.docker.com/_/sliverpeasopen_in_new)
- solropen_in_new
- xwikiopen_in_new
We have updated Apache Commons Text in these images to the latest version. Some of these images may not be vulnerable for other reasons. We recommend that you also review the guidelines published on the upstream websites.
Log4j 2 CVE-2021-44228
Last updated December 2021
The Log4j 2 CVE-2021-44228open_in_new vulnerability in Log4j 2, a very common Java logging library, allows remote code execution, often from a context that is easily available to an attacker. For example, it was found in Minecraft servers which allowed the commands to be typed into chat logs as these were then sent to the logger. This makes it a very serious vulnerability, as the logging library is used so widely and it may be simple to exploit. Many open source maintainers are working hard with fixes and updates to the software ecosystem.
The vulnerable versions of Log4j 2 are versions 2.0 to version 2.14.1 inclusive. The first fixed version is 2.15.0. We strongly encourage you to update to the latest versionopen_in_new if you can. If you are using a version before 2.0, you are also not vulnerable.
You may not be vulnerable if you are using these versions, as your configuration may already mitigate this, or the things you log may not include any user input. This may be difficult to validate however without understanding all the code paths that may log in detail, and where they may get input from. So you probably will want to upgrade all code using vulnerable versions.
CVE-2021-45046
As an update to CVE-2021-44228open_in_new, the fix made in version 2.15.0 was incomplete. Additional issues have been identified and are tracked with CVE-2021-45046open_in_new and CVE-2021-45105open_in_new. For a more complete fix to this vulnerability, we recommended that you update to 2.17.0 where possible.
Scan images on Docker Hub
Docker Hub security scans triggered after 1700 UTC 13 December 2021 are now correctly identifying the Log4j 2 CVEs. Scans before this date do not currently reflect the status of this vulnerability. Therefore, we recommend that you trigger scans by pushing new images to Docker Hub to view the status of Log4j 2 CVE in the vulnerability report. For detailed instructions, see Scan images on Docker Hub.
Docker Official Images impacted by Log4j 2 CVE
Last updated December 2021
A number of Docker Official Images contain the vulnerable versions of Log4j 2 CVE-2021-44228. The following table lists Docker Official Images that may contained the vulnerable versions of Log4j 2. We updated Log4j 2 in these images to the latest version. Some of these images may not be vulnerable for other reasons. We recommend that you also review the guidelines published on the upstream websites.
Repository | Patched version | Additional documentation |
---|---|---|
couchbaseopen_in_new | 7.0.3 | Couchbase blogopen_in_new |
Elasticsearchopen_in_new | 6.8.22, 7.16.2 | Elasticsearch announcementopen_in_new |
Flinkopen_in_new | 1.11.6, 1.12.7, 1.13.5, 1.14.2 | Flink advice on Log4j CVEopen_in_new |
Geonetworkopen_in_new | 3.10.10 | Geonetwork GitHub discussionopen_in_new |
lightstreameropen_in_new | Awaiting info | Awaiting info |
logstashopen_in_new | 6.8.22, 7.16.2 | Elasticsearch announcementopen_in_new |
neo4jopen_in_new | 4.4.2 | Neo4j announcementopen_in_new |
solropen_in_new | 8.11.1 | Solr security newsopen_in_new |
sonarqubeopen_in_new | 8.9.5, 9.2.2 | SonarQube announcementopen_in_new |
stormopen_in_new | Awaiting info | Awaiting info |
Note
Although xwikiopen_in_new images may be detected as vulnerable by some scanners, the authors believe the images are not vulnerable by Log4j 2 CVE as the API jars do not contain the vulnerability. The Nuxeoopen_in_new image is deprecated and will not be updated.