CVE-2019-20367 - TomEE not affected

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2019-20367 - TomEE not affected

Jenkins, Rodney J (Rod)
All,

Just an FYI….

Today, our vulnerability scanners started alerting us to this CVE when we pulled the Official Tomcat image.  I have opened a ticket with docker-library-tocmat to see if they can rebuild the images, as this was address in the OpenJDK layer.  After I sorted that out, I wondered if TomEE was vulnerable as well.  The good news is we are not.  The difference is Tomcat is build OpenJDK’s JDK and we use the JRE.  It would seem the affecting library, libbsd0, is not found on the JRE.

Again, there is nothing for us to do, but I thought you may all want to be aware.

If you have any questions, please reach out.

Thanks,
Rod.


PS:  It is not lost on me that it is a fairly old vulnerability.  I am not sure why it started to notify us today, something else I will have to research.
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-20367 - TomEE not affected

jgallimore
Thanks for the update Rod!

> PS:  It is not lost on me that it is a fairly old vulnerability.  I am
not sure why it started to notify us today, something else I will have to
research.

I tend to get duplicate notifications when CVEs are updated. Looks like
there have been some recent-ish updates to this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2019-20367#VulnChangeHistorySection

Jon

On Thu, Apr 1, 2021 at 5:06 AM Jenkins, Rodney J (Rod) <
[hidden email]> wrote:

> All,
>
> Just an FYI….
>
> Today, our vulnerability scanners started alerting us to this CVE when we
> pulled the Official Tomcat image.  I have opened a ticket with
> docker-library-tocmat to see if they can rebuild the images, as this was
> address in the OpenJDK layer.  After I sorted that out, I wondered if TomEE
> was vulnerable as well.  The good news is we are not.  The difference is
> Tomcat is build OpenJDK’s JDK and we use the JRE.  It would seem the
> affecting library, libbsd0, is not found on the JRE.
>
> Again, there is nothing for us to do, but I thought you may all want to be
> aware.
>
> If you have any questions, please reach out.
>
> Thanks,
> Rod.
>
>
> PS:  It is not lost on me that it is a fairly old vulnerability.  I am not
> sure why it started to notify us today, something else I will have to
> research.
>