Ugh. And now I see I overlooked where tomcat comes into play in the Dockerfile:
https://github.com/gbif/ipt/blob/master/package/docker/Dockerfile
Line 17: FROM tomcat:8.5-jdk8
Perhaps ‘tomcat:8.5.84-jdk8’?
And I suppose it’s Matthew that will need to check this out.
😊
-Roger A
From:
IPT <ipt-bounces@lists.gbif.org> on behalf of Roger W. J. Alterskjær via IPT <ipt@lists.gbif.org>
Date: Thursday, 22 December 2022 at 13:44
To: IPT@lists.gbif.org <IPT@lists.gbif.org>
Subject: [IPT] Update docker tomcat?
Our university IT-security guys have noticed that our docker container for gbif/ipt is running a vulnerable version of Tomcat:
Apache Tomcat 8.5.x < 8.5.83
which is vulnerable to "Request Smuggling Vulnerability" (CVE-2022-42252).
They say that Tomcat 8.5.84 is
the latest version of 8.5.
I see that we’re using maven:3.8-jdk-8 with hasn’t been updated for five months…
-Roger A