Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-4159

[RN] Che server vulnerabilities

XMLWordPrintable

    • False
    • None
    • False
    • Release Notes
    • Hide
      = Che server vulnerabilities fix

      Before this update, there were Che server vulnerabilities related to PostgreSQL and others. With this update, the vulnerabilities are fixed.
      Show
      = Che server vulnerabilities fix Before this update, there were Che server vulnerabilities related to PostgreSQL and others. With this update, the vulnerabilities are fixed.
    • Bug Fix
    • Done

      Synced from eclipse/che issue

      https://github.com/eclipse/che/issues/22062

      Describe the bug

      Trivy's scan reports many vulnerabilities for the Che server (including critical and high vulnerabilities). Some of them are related to Postgresql which has been deprecated and is no longer used by Che. Some critical ones are related to com.h2database:h2 for which a new version is proposed in the report.

      Repository: eclipse/che-server
      Tag: 7.62.0
      Critical: 7
      High: 13

      vulnerabilityID severity resource installedVersion fixedVersion
      ---------- ---------- ---------- ---------- ----------
      CVE-2023-0767 HIGH nss 3.79.0-10.el8_6 3.79.0-11.el8_7
      CVE-2023-0767 HIGH nss-softokn 3.79.0-10.el8_6 3.79.0-11.el8_7
      CVE-2023-0767 HIGH nss-softokn-freebl 3.79.0-10.el8_6 3.79.0-11.el8_7
      CVE-2023-0767 HIGH nss-sysinit 3.79.0-10.el8_6 3.79.0-11.el8_7
      CVE-2023-0767 HIGH nss-util 3.79.0-10.el8_6 3.79.0-11.el8_7
      CVE-2021-23463 CRITICAL com.h2database:h2 1.4.196 2.0.202
      CVE-2021-42392 CRITICAL com.h2database:h2 1.4.196 2.0.206
      CVE-2022-23221 CRITICAL com.h2database:h2 1.4.196 2.1.210
      GHSA-h376-j262-vhq6 UNKNOWN com.h2database:h2 1.4.196 2.0.206
      CVE-2023-24998 HIGH commons-fileupload:commons-fileupload 1.4 1.5
      CVE-2023-24998 HIGH commons-fileupload:commons-fileupload 1.4 1.5
      CVE-2019-0205 HIGH org.apache.thrift:libthrift 0.12.0 0.13.0
      CVE-2019-0210 HIGH org.apache.thrift:libthrift 0.12.0 0.13.0
      CVE-2020-13949 HIGH org.apache.thrift:libthrift 0.12.0 0.14.0
      CVE-2022-42252 HIGH org.apache.tomcat:tomcat-coyote 10.0.14 8.5.83, 9.0.68, 10.0.27, 10.1.1
      CVE-2022-21724 CRITICAL org.postgresql:postgresql 42.2.24 42.2.25, 42.3.2
      CVE-2022-21724 CRITICAL org.postgresql:postgresql 42.2.24 42.2.25, 42.3.2
      CVE-2022-26520 CRITICAL org.postgresql:postgresql 42.2.24 42.3.3
      CVE-2022-26520 CRITICAL org.postgresql:postgresql 42.2.24 42.3.3
      CVE-2022-31197 HIGH org.postgresql:postgresql 42.2.24 42.2.26, 42.3.7, 42.4.1
      CVE-2022-31197 HIGH org.postgresql:postgresql 42.2.24 42.2.26, 42.3.7, 42.4.1

      Che version

      7.61@latest

      Steps to reproduce

      trivy image quay.io/eclipse/che-server:7.62.0

      Expected behavior

      Remove Postgresql libs and fix at least the critical ones

      Runtime

      Kubernetes (vanilla)

      Screenshots

      No response

      Installation method

      chectl/latest

      Environment

      Linux

      Eclipse Che Logs

      No response

      Additional context

      No response

        1. ds360-dashbard-about.png
          ds360-dashbard-about.png
          432 kB
        2. ds360-Pods.png
          ds360-Pods.png
          105 kB

              rhn-ecs-pkovar Petr Kovar (Inactive)
              jiralint.codeready Bot Codeready
              Shmaraiev Oleksandr Shmaraiev Oleksandr
              Jana Vrbkova Jana Vrbkova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: