Dockerhub vulnerabilities

[jgournet]

Is your feature request related to a problem?

Dockerhub (and our private ECR repo) reports vulnerabilities for all docker images:
https://hub.docker.com/_/amazoncorretto/tags

Describe a solution you would like

Fixing those vulnerabilities; as they are triggering alerts and blocking pipelines.

Describe alternatives you have considered

I tried to update corretto versions in those images, but there does not seem to be any yum patched version.

Additions:

I followed the first steps from: https://aws.amazon.com/corretto/faqs/#topic-1
"Why does security scanner show that a docker image has a CVE?"
ie: tried "yum update -y --security", but that did only solved the libxml2

but I did not raise this a security issue, just creating this ticket for now

[DeepikaKasoji]

Yes, this is blocking us too. Below are the CVE's:
CVE-2025-49794
CVE-2025-49796
CVE-2025-49795

I'm finding that the Docker Hub image amazoncorretto:17-al2023 does not include the latest libxml2 update (2.10.4-1.amzn2023.0.12) which is being reported in above mentioned CVE's to update to fixed version 2.10.4-1.amzn2023.0.12 and currently we are on version 2.10.4-1.amzn2023.0.11, while the same image tag amazoncorretto:17-al2023 on public ECR does have 2.10.4-1.amzn2023.0.12. yum in the Docker Hub container cannot find or update to the newer version, as shown by the output of yum --showduplicates list libxml2.

This prevents us from remediating important security issues using the Docker Hub image and blocking our pipelines. Can you please rebuild/synchronize the Docker Hub image to include this fixed libxml2? Or provide information about update cadence and how users can reliably obtain security fixes via Docker Hub images.

@jgournet

[lutkerd]

Please see Why does security scanner show that a docker image has a CVE?. AmazonCorretto images cannot be updated for a new package in the base image, only for updates in the Corretto packages. This is because Corretto is an Official Image and the builds are controlled by Docker Hub and will only happen for an updated base image or Corretto change. The Amazon Linux team does not publish an updated base image for every package update and may publish to ECR more frequently than to Docker Hub.

@DeepikaKasoji For your situation, AL2023 images are version locked and may not automatically pull newer versions of packages which could be destabilizing to some services, you will need to run dnf update --security --releasever=latest to pull the latest security updates. We will update the README for this.

[DeepikaKasoji]

@lutkerd - Appreciate the detailed response.

I am writing to seek further assistance regarding the issue I previously reported. Despite following the recommended workaround, I am still encountering challenges in applying the necessary security updates to my Amazon Linux 2023 (AL2023) instance. Please find the snapshot of output below:

Thank you for your time and assistance.

[lutkerd]

Can you check what repositories you have configured? The output there doesn't look right, the repo name is an Artifactory one and not Amazon Linux.

I am seeing this from the latest amazoncorretto:17-2023 image

# dnf repolist
repo id                                                                                                repo name
amazonlinux                                                                                            Amazon Linux 2023 repository


bash-5.2# yum --showduplicates list libxml2
Amazon Linux 2023 repository                                                                                                                                                                   86 MB/s |  41 MB     00:00    
Last metadata expiration check: 0:00:09 ago on Wed Aug  6 16:28:25 2025.
Installed Packages
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.11                                                                                        @System    
Available Packages
libxml2.x86_64                                                                                       2.10.3-2.amzn2023.0.1                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.1                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.3                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.4                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.5                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.6                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.7                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.8                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.9                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.10                                                                                        amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.11                                                                                        amazonlinux
bash-5.2# 

[DeepikaKasoji]

@lutkerd

We have configured our JFrog Artifactory proxy to mirror the Amazon Linux 2023 repositories.
Upon reviewing the available packages, we observed that the latest version of libxml2 present is 2.10.4-1.amzn2023.0.11 in docker image. However, according to the security advisories for CVE-2025-49795, CVE-2025-49796, CVE-2025-49794 (please refer to vulnerabilities section in https://hub.docker.com/layers/library/amazoncorretto/17-al2023/images/sha256-f0c2aaaf577d0cfdd74458a5ac76f84649fda4919db3f364525a03ba0fccf22d ) the recommended fix is included in version 2.10.4-1.amzn2023.0.12. We couldn't update to 2.10.4-1.amzn2023.0.12 version.

Could you please advise on how we can access this specific version. Thank you for your assistance.

[lutkerd]

I am not sure what you are syncing to your Artifactory, but if you use the latest releasever or releasever 2023.8.20250721 as mentioned in the ALAS 2.10.4-1.amzn2023.0.12 will be there.

# dnf list --showduplicates libxml2 --releasever latest
Amazon Linux 2023 repository                                                                                                                                                                   62 MB/s |  43 MB     00:00    
Last metadata expiration check: 0:00:10 ago on Thu Aug  7 17:03:57 2025.
Installed Packages
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.11                                                                                        @System    
Available Packages
libxml2.x86_64                                                                                       2.10.3-2.amzn2023.0.1                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.1                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.3                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.4                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.5                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.6                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.7                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.8                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.9                                                                                         amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.10                                                                                        amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.11                                                                                        amazonlinux
libxml2.x86_64                                                                                       2.10.4-1.amzn2023.0.12                                                                                      amazonlinux

[lutkerd]

@DeepikaKasoji Where you able to resolve your issue?