[gdal-dev] Upgrade or remove Java JDK 17 in GDAL Docker image

Matt Luck - NOAA Affiliate matt.luck at noaa.gov
Mon Sep 9 10:29:25 PDT 2024 

Hi, our IT department has detected a security vulnerability in the Java JDK version 17 that's installed in the ubuntu-full docker image (see message below). I am able to remove the Java files from the Docker image via the Dockerfile and I've tried changing the `JAVA_VERSION` in the Dockerfile, but there always seems to be a reference remaining in the Docker diff files that I can't seem to get rid of.

To reproduce:
A `docker system prune -a -f`, then `sudo find /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds nothing, but then `docker pull ghcr.io/osgeo/gdal:ubuntu-full-3.9.1` followed by `sudo find /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds:
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/jvm/java-17-openjdk-amd64
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/debug/usr/lib/jvm/java-17-openjdk-amd64
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/share/gdb/auto-load/usr/lib/jvm/java-17-openjdk-amd64

Because they're diff files, those files exist whether or not they're actually in the container and thus the vulnerability is always triggered. Is there a solution and/or a way to either upgrade the Java version or remove Java entirely if it's not needed so that we can deal with this issue in the future?

On Mon, Jul 8, 2024 at 10:21 AM X wrote:
All,

Please see the vulns below and remediate as soon as possible. These are in containers.

Path              : /var/lib/docker/overlay2/48c2e3da9fc2282822d4522e28ca46788f5357a14a8a38f687e2cadbf9de68d7/diff/usr/lib/jvm/java-17-openjdk-amd64/
  Installed version : 17.0.8
  Fixed version     : Upgrade to a version greater than 17.0.10

Path              : /var/lib/docker/overlay2/4aed72b0f0433c615afe67854c8c79bb7acca2fb01216bf6be25774180266f4d/diff/usr/lib/jvm/java-17-openjdk-amd64/
  Installed version : 17.0.8
  Fixed version     : Upgrade to a version greater than 17.0.10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20240909/5bc7f3cd/attachment-0001.htm>

More information about the gdal-dev mailing list