Address CVE-2022-40897

[rtclauss]

Hello, the latest version of the Liberty container, 23.0.0.6, contains the unaddressed High vulnerability CVE-2022-40897.

This is marked as a High vulnerability in various scanners. This prevents us from using/deploying this image within a given corporate environment. Is there an ETA for when this CVE will be addressed?

The full results of this image scan are included in the attached file below.
23.0.0.6-kernel-java17-openj9-ubiSCAN.txt

[leochr]

@rtclauss The scanner is incorrectly flagging the Liberty image against this CVE.

The OS of the 23.0.0.6-kernel-java17-openj9-ubi image is Red Hat Enterprise Linux 8 (RHEL/UBI) and https://dso.docker.com/cve/CVE-2022-40897 lists the following entry for RHEL 8:

Package Name                              Package Type        OS Name          OS Version    Vulnerable Range          Fixed By
redhatlinux:python-setuptools             rpm                 redhatlinux      8             <39.2.0-6.el8_7.1         39.2.0-6.el8_7.1

The issue is fixed in 39.2.0-6.el8_7.1 or above.

Validated that 23.0.0.6-kernel-java17-openj9-ubi image includes a fixed version by running the following command in the image:

rpm -qa | grep python-setuptools
platform-python-setuptools-39.2.0-7.el8.noarch

39.2.0-7.el8 is higher than the fixed version 39.2.0-6.el8_7.1

The Red Hat bulletin also confirms that the fix was added to RHEL 8 (UBI) in February 21, 2023, hence it makes sense that the fix is in the Liberty image:
CVE: https://access.redhat.com/security/cve/cve-2022-40897
Fixed by: https://access.redhat.com/errata/RHSA-2023:0835