You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomee.apache.org by "Jenkins, Rodney J (Rod)" <JE...@nationwide.com> on 2021/04/01 04:06:12 UTC

CVE-2019-20367 - TomEE not affected

All,

Just an FYI….

Today, our vulnerability scanners started alerting us to this CVE when we pulled the Official Tomcat image.  I have opened a ticket with docker-library-tocmat to see if they can rebuild the images, as this was address in the OpenJDK layer.  After I sorted that out, I wondered if TomEE was vulnerable as well.  The good news is we are not.  The difference is Tomcat is build OpenJDK’s JDK and we use the JRE.  It would seem the affecting library, libbsd0, is not found on the JRE.

Again, there is nothing for us to do, but I thought you may all want to be aware.

If you have any questions, please reach out.

Thanks,
Rod.


PS:  It is not lost on me that it is a fairly old vulnerability.  I am not sure why it started to notify us today, something else I will have to research.

Re: CVE-2019-20367 - TomEE not affected

Posted by Jonathan Gallimore <jo...@gmail.com>.

Thanks for the update Rod!

> PS:  It is not lost on me that it is a fairly old vulnerability.  I am
not sure why it started to notify us today, something else I will have to
research.

I tend to get duplicate notifications when CVEs are updated. Looks like
there have been some recent-ish updates to this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2019-20367#VulnChangeHistorySection

Jon

On Thu, Apr 1, 2021 at 5:06 AM Jenkins, Rodney J (Rod) <
JENKIR14@nationwide.com> wrote:

> All,
>
> Just an FYI….
>
> Today, our vulnerability scanners started alerting us to this CVE when we
> pulled the Official Tomcat image.  I have opened a ticket with
> docker-library-tocmat to see if they can rebuild the images, as this was
> address in the OpenJDK layer.  After I sorted that out, I wondered if TomEE
> was vulnerable as well.  The good news is we are not.  The difference is
> Tomcat is build OpenJDK’s JDK and we use the JRE.  It would seem the
> affecting library, libbsd0, is not found on the JRE.
>
> Again, there is nothing for us to do, but I thought you may all want to be
> aware.
>
> If you have any questions, please reach out.
>
> Thanks,
> Rod.
>
>
> PS:  It is not lost on me that it is a fairly old vulnerability.  I am not
> sure why it started to notify us today, something else I will have to
> research.
>