Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

cancel
Showing results for 
Search instead for 
Did you mean: 
jego
Partner

Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

Jump to solution

We are using the provided alfresco enterprise containers to deploy Alfresco  in the Azure Kubernetes Cluster. 

In terms of container security we are using trivy to scan the images for vulnerabilities.

We have used trivy to scan the acs image in version 7.0.1 with following command:

trivy -d quay.io/alfresco/alfresco-content-repository:7.0.1

The result is:

 

quay.io/alfresco/alfresco-content-repository:7.0.1 (centos 8.4.2105)
====================================================================
Total: 337 (UNKNOWN: 0, LOW: 139, MEDIUM: 178, HIGH: 16, CRITICAL: 4)

 

Even the new Alfresco Content repository 7.1.0 image has several known security issues, even more than the older version.

quay.io/alfresco/alfresco-content-repository:7.1.0 (centos 7.9.2009)
====================================================================
Total: 810 (UNKNOWN: 0, LOW: 410, MEDIUM: 389, HIGH: 9, CRITICAL: 2)

Fun fact: For the newer version of acs there is a os-downgrade to centos 7.9 (instead of centos 8.4 in acs-7.0.1), so it would explain the higher number of issues.

For me these results are not acceptable as we need to deploy a docker container of an Enterprise software on a customer platform with high and critical issues. 

@angelborroy : Do you know more about the process behind docker container updates and fixing security issues? Do you already scan your docker images for security issues? Do you know where to submit these issues- In the github project https://github.com/Alfresco/acs-packaging/ or as support ticket?

 

1 Solution

Accepted Solutions
angelborroy
Alfresco Employee

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

Jump to solution

Great @jego 

I'll follow this case.

Since we are using different vulnerability tools, I guess we should need to identify those reports from Trivy.

Additionally, the move to CentOS 8 to CentOS 7 was related with CentOS 8 EOL for December 2021:

https://www.centos.org/centos-linux-eol/

Hyland Developer Evangelist

View solution in original post

4 Replies
abhinavmishra14
Advanced

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

Jump to solution

In general, you can open issue here: https://github.com/Alfresco/acs-packaging/

@amanda_roberts or @angelborroy May be able to direct you to a correct channel to open the ticket with support and followups.

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
angelborroy
Alfresco Employee

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

Jump to solution

Thanks for the detailed report, Jens.

We are using different tools in order to identify vulnerabilities in our Docker Images. This process is proactively used for every release, but there may be something we're missing.

Let me verify the impact of the vulnerabilities identified by Trivy and I'll be back with additional information.

Hyland Developer Evangelist
jego
Partner

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

Jump to solution

I have also created a support case - thenumber is 00556732- maybe you can have a look into it because there are some answers already from Scott. 

Thx

angelborroy
Alfresco Employee

Re: Several vulnerabilities in ACS docker images 7.0.1 and 7.1.0 detected by Trivy

Jump to solution

Great @jego 

I'll follow this case.

Since we are using different vulnerability tools, I guess we should need to identify those reports from Trivy.

Additionally, the move to CentOS 8 to CentOS 7 was related with CentOS 8 EOL for December 2021:

https://www.centos.org/centos-linux-eol/

Hyland Developer Evangelist