pyspark-notebook contains derby-10.16.1.1.jar - subject to cve-2022-46337 #2423
Description
What docker image(s) are you using?
pyspark-notebook
Host OS
Rocky Linux 9
Host architecture
x86_64
What Docker command are you running?
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which werent also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
ref: https://avd.aquasec.com/nvd/2022/cve-2022-46337/
How to Reproduce the problem?
trivy image --scanners vuln --severity CRITICAL --ignore-unfixed --format table quay.io/jupyter/pyspark-notebook:latestCommand output
Expected behavior
No response
Actual behavior
Total: 1 (CRITICAL: 1)
┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.derby:derby (derby-10.16.1.1.jar) │ CVE-2022-46337 │ CRITICAL │ fixed │ 10.16.1.1 │ 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 │ A cleverly devised username might bypass LDAP authentication │
│ │ │ │ │ │ │ checks. I ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-46337 │
└──────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Anything else?
Realistically, this attack has a very specific attack vector that is unlikely to be a problem in most environments. However, some organizations don't take a risk-based view of security and enact policies such as "thou shalt not deploy containers with CRITICAL vulnerabilities". So... here we are. The mitigation isn't terribly intrusive, so upgrading Java and deploying the newer Derby jar seems like a reasonable request.
Latest Docker version
- I've updated my Docker version to the latest available, and the issue persists