vulnerability reported in busy box 1.28.4-r1

[anoopswsib]

Twistlock scan of the jdk revealed that busy box that is being used in ssl client is 1.28.4-r1 version and it has serious vulnerability. By upgrading busy box to 1.30 the vulnerability will be removed. Here is the description of current vulnerability:
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.

When you get a chance could you please upgrade the busy box in the ssl client. I believe its coming from alpine:3.9 image.

[dinogun]

The docker images get re-built every night which should automatically pull in the latest fixes if it is fixed in the upstream (in this case busybox on Alpine). I see that the alpine:latest image has BusyBox v1.29.3 which is the same in all the adoptopenjdk images. Since we don't really maintain the OS layer, all we can do it wait for busybox to be fixed in the upstream alpine image.

[dinogun]

The base Alpine Linux 3.9 as on date still has BusyBox v1.29.3 (2019-01-24 07:45:07 UTC). Probably because the vulnerability is classified as major and not critical.