{{announcement.body}}
{{announcement.title}}

Docker Snafu Leads to Millions of Downloads of Vulnerable JDK

DZone 's Guide to

Docker Snafu Leads to Millions of Downloads of Vulnerable JDK

Millions of developers mistakenly downloaded bug- and CVE-vulnerability-ridden versions of 8u212 and 11.0.3 thinking they were the real thing.

· Java Zone ·
Free Resource

Snafu

Attention to detail matters, folks.

If you're one of the more than ten million developers who downloaded the official Docker images for OpenJDK 8 and 11 from mid April until about a month ago, you'll really want to make sure you get those updated stat

Due to innocent enough confusion over tagging protocols, Debian volunteers populated their repos with unreleased versions of the JDKs some weeks before the final versions were ready to go, but failed to clearly label them as such.

And when Docker adopted these versions as their official OpenJDK images soon after, millions of developers mistakenly downloaded bug- and CVE-vulnerability-ridden versions of 8u212 and 11.0.3 thinking they were the real thing.

And why would they have thought otherwise? According to Docker:

"Each of the images in the Official Images is scanned for vulnerabilities. The results of these security scans provide valuable information about which images contain security vulnerabilities, and allow you to choose images that align with your security standards."

Gil Tene, CTO of Azul Systems -- and maker of the OpenJDK build Zulu -- pointed out the snafu via the OpenJDK mailing list on May 15th, and his irritation was palpable: 

"Why Debian populated their repos with these builds is their business, and why Docker chose to use those specific Debian builds can be speculated about all we want. The details don't matter. The end result of these cumulative 'reasonable' (according to some people) choices is that the default OpenJDK runs done by millions of people on Docker right now are using 'mystery meat,' incomplete, and exposed builds while seeming to report (to the lay person) a Java version that would suggest a real 8u212 or 11.0.3 (which one would expect has the security vulnerabilities in the April update addressed, the bug fixes included, etc.)."

And as InfoQ reporter Erik Costlow reports, "the version mismatch may cause downstream complexity with software composition analysis tools, which analyze software for patches based on version. ... Many of these tools will recognize the version number and incorrectly determine that these JREs are not vulnerable."

When they absolutely are. "The version number in the Docker images indicates that patches for CVE-2019-2602 and CVE-2019-2684 should have been included but were not," he continued. And these were by no means the only missing patches

Tech consultant (and InfoQ news editor) Daniel Bryant took to Twitter with his own concerns: 

Daniel Bryant Tweet

It just goes to show, yet again, that proper documentation is everything. 

Further reading

Open-Source Risk Continues to Challenge Organizations' Software Security 

Open Source: It's All Fun and Games Until Millions of People Have Their Data Stolen

Topics:
openjdk ,open source vulnerabilities ,jdk 8 ,jdk 11 ,debian ,docker ,docker official images

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}