Skip to content

Fix CVSS 9.8 CVE in Camunda 7 BPM platform docker image #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix CVSS 9.8 CVE in Camunda 7 BPM platform docker image #311

wants to merge 1 commit into from

Conversation

jim60105
Copy link
Contributor

Close issue: https://forum.camunda.io/t/cvss-9-8-cve-in-camunda-7-bpm-platform-docker-image/59700

Hi camunda team,

Our team scanned the camunda/camunda-bpm-platform:7.22.0 docker image and found that it contains a package with critical and high risk-level vulnerabilities.

/camunda/javaagent/jmx_prometheus_javaagent.jar
pkg:maven/org.yaml/snakeyaml@1.16
CVE-2022-1471
CVE-2017-18640
CVE-2022-25857

They are originates from an outdated jmx_exporter, which was added in download.sh script.

Fortunately, the version has been extracted as an ARG in the Dockerfile, making it easy to upgrade to a new version.

This PR will fix the above issue.
I would be very grateful if this could be merged.
Thank you.

@CLAassistant
Copy link

CLAassistant commented Feb 24, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@jim60105 jim60105 changed the title build(deps): bump jmx_prometheus_javaagent version to 1.0.1 Fix CVSS 9.8 CVE in Camunda 7 BPM platform docker image Feb 24, 2025
@HeleneW-dot HeleneW-dot self-assigned this Feb 25, 2025
@HeleneW-dot
Copy link
Contributor

Hi @jim60105 ,
Thank you for raising this issue, I am going to have a closer look at your report and post another update here once we have qualified the issue.
For the future, please raise security concerns via our trust center instead of the public repo or forum.

Thanks!
Helene

@tasso94 tasso94 mentioned this pull request Feb 26, 2025
Closed
1 task
@HeleneW-dot HeleneW-dot self-requested a review February 26, 2025 13:05
@HeleneW-dot HeleneW-dot assigned jim60105 and unassigned HeleneW-dot Feb 26, 2025
@HeleneW-dot
Copy link
Contributor

Hi @jim60105, we've had a look at this dependency and found the following:

  • The Prometheus JMX Exporter is disabled by default
  • This vulnerability only exists when using the WildFly or Tomcat Docker image with a configuration from untrusted sources
  • Applying configurations from untrusted sources is an anti-pattern leading to more severe problems

We will still look into bumping this dependency, however we first need to conduct some internal checks such as licensing. Once these checks have passed, I will post another update here on whether we can merge this PR.

Thank you,
Helene

@HeleneW-dot
Copy link
Contributor

Running CI workflows in this PR with a duplicate branch to avoid unauthorised exception.

@HeleneW-dot
Copy link
Contributor

HeleneW-dot commented Apr 10, 2025
edited
Loading

Hi @jim60105 ,
just to keep you informed, this change required a few more follow up adjustments to make our current CI compatible with this version bump. I have created this PR for that purpose which will be reviewed soon. I can add you as a co-author on it before merging.
I will close this PR for now since it is now a duplicate as your changes have already been picked over to the other PR.

Thank you again for your contribution!
Helene

@jim60105
Copy link
Contributor Author

Understood, thank you for your reply.

@HeleneW-dot HeleneW-dot mentioned this pull request Apr 10, 2025
Merged
@HeleneW-dot
Copy link
Contributor

Hi @jim60105 ,
Just to let you know, the changes have now been merged.
Thank you,
Helene

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HeleneW-dot HeleneW-dot Awaiting requested review from HeleneW-dot

Assignees

@jim60105 jim60105

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jim60105 @CLAassistant @HeleneW-dot