Customer is using Twistlock (commercial vulnerability scan tool for docker images)
Current issue: Netty libraries in the CA API Docker images. (see below table)
bash-4.2# find . -name "*netty*"
./SecureSpan/Gateway/runtime/lib/netty-all-4.1.1.Final.jar
Tested against both images:
caapim/gateway:latest
caapim/gateway:9.4.00_20200212
There is an updated netty-all library jar files that may replace this file:
Registry |
Repository |
Tag |
CVE ID |
Type |
Severity |
Packages |
Package Version |
Fix Status |
Possible Update |
||||
caapim/gateway |
9.4.00_20200212 |
CVE-2019-16869 |
java |
high |
io.netty_netty-all |
4.1.1.Final |
fixed in 4.1.42.Final |
||||||
caapim/gateway |
9.4.00_20200212 |
CVE-2019-20444 |
java |
critical |
io.netty_netty-all |
4.1.1.Final |
fixed in 4.1.44 |
||||||
caapim/gateway |
9.4.00_20200212 |
CVE-2019-20445 |
java |
critical |
io.netty_netty-all |
4.1.1.Final |
fixed in 4.1.44 |
||||||
Release : 7.1
Component : MOBILE API
This will be included in Gateway 10 CR2 the official - Sept 2020