docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Log4j vuln updates 

Signed-off-by: Justin Cormack <justin@specialbusservice.com>
This commit is contained in:
Justin Cormack 2021-12-20 14:28:12 +00:00
parent 58d5d1fc9f
commit 15679e26aa
No known key found for this signature in database
GPG Key ID: CBC0AC323D731540
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
security/index.md
View File

@ -25,10 +25,10 @@ vulnerable versions.
> As an update to
> [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228){:
target="_blank" rel="noopener" class="_"}, the fix made in version 2.15.0 was
> incomplete in certain non-default configurations. An additional issue has
> been identified and is tracked with
> [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046){: target="_blank" rel="noopener" class="_"}. For a more complete fix to this
> vulnerability, we recommended that you update to 2.16.0 where possible.
> incomplete. Additional issues have been identified and are tracked with
> [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046){: target="_blank" rel="noopener" class="_"} and
> [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105){: target="_blank" rel="noopener" class="_"}.
> For a more complete fix to this vulnerability, we recommended that you update to 2.17.0 where possible.
{: .important}
## Scan images using the `docker scan` command
@ -69,9 +69,8 @@ vulnerable for other reasons. We recommend that you also review the guidelines p
| [Geonetwork](https://hub.docker.com/_/geonetwork) | 3.10.10 | [Geonetwork GitHub discussion](https://github.com/geonetwork/core-geonetwork/issues/6076) |
| [lightstreamer](https://hub.docker.com/_/lightstreamer) | Awaiting info | Awaiting info |
| [logstash](https://hub.docker.com/_/logstash) | 7.16.1 | Awaiting info |
| [neo4j](https://hub.docker.com/_/neo4j) | 4.4.1 | [Neo4j announcement](https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856) |
| [nuxeo](https://hub.docker.com/_/nuxeo) | Awaiting info | [nuxeo blog](https://www.nuxeo.com/blog/apache-log4j/) |
| [solr](https://hub.docker.com/_/solr) | Awaiting info | [Solr security news](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) |
| [neo4j](https://hub.docker.com/_/neo4j) | 4.4.2 | [Neo4j announcement](https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856) |
| [solr](https://hub.docker.com/_/solr) | 8.11.1 | [Solr security news](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) |
| [sonarqube](https://hub.docker.com/_/sonarqube) | 8.9.5, 9.2.2 | [SonarQube announcement](https://community.sonarsource.com/t/sonarqube-sonarcloud-and-the-log4j-vulnerability/54721) |
| [storm](https://hub.docker.com/_/storm) | Awaiting info | Awaiting info |
@ -81,3 +80,5 @@ vulnerable for other reasons. We recommend that you also review the guidelines p
target="_blank" rel="noopener" class="_"} images may be detected as vulnerable
by some scanners, the authors believe the images are not vulnerable by Log4j 2
CVE as the API jars do not contain the vulnerability.
> The [Nuxeo](https://hub.docker.com/_/nuxeo){: target="_blank" rel="noopener" class="_"}
> image is deprecated and will not be updated.