pyup.io-43366 (CVE-2021-43818) Vulnerability in base image for docker

Question

I have a docker base image when uploaded to quay image repository give the vulnerability pyup.io-43366 (CVE-2021-43818).

The base image is

FROM quay/registry.redhat.io/rhel7:latest
MAINTAINER Me

LABEL description="Application runtime image" \
      name="Image name" \
      version="1.0"

ENV LANG en_US.UTF-8

RUN yum-config-manager  \
    && yum -y install java-11-openjdk \
    && yum -y clean all
CMD ["/bin/bash"]

Is there any way I can overcome this vulnerability?

Answer 1

"stop using latest" -- "what tag should I give?"

First, you can list tags from rhel7, using the regclient project from Brandon Mitchell (sudo-bmitch, top contributor on Stack Overflow), with:

alias dr='docker run -it --rm'
# on Windows
dockey dr=docker run -it --rm $*


dr regclient/regctl:latest tag ls registry.access.redhat.com/rhel7|\ 
  grep -Ev (source|[0-9][0-9][0-9][0-9])

(on Windows: grep -Ev (source^|[0-9][0-9][0-9][0-9]): note the ^)

Second, I do not see CVE-2021-43818 in latest, using anchore/grype

docker run anchore/grype:latest registry.access.redhat.com/rhel7:latest | grep 2021

The closest is CVE-2021-3541, a flaw was found in libxml2-python.

In your case, considering Lxml 4.6.5 includes a fix for CVE-2021-43818, you would need an image with Lxml 4.6.5+.

If that image does not exist yet, you could docker build your own starting FROM registry.access.redhat.com/rhel7:7.9, and adding the right libxml.
And publish it to Quay.

Answer 2

Red Hat provides this information describing how the issue affects different products versions.

As described in the aforementioned link, it seems that no mitigation is provided:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

In the specific use case of Red Hat Enterprise Linux 7, they indicate the product is "Out of support scope":

When a product is listed as "Out of Support Scope", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. The product should be assumed to be affected. Customers are advised to apply any mitigation options documented on this page, consider removing or disabling the impacted component, or upgrade to a supported version of the product that has an update available.

This may explain, as VonC indicated in his question, why Grype doesn't report the problem.

If you need your image just for running Java, one thing you could try is removing the dependency, but I am afraid it is required by other libraries, so probably it will not work.

Please, take my words with caution because it entirely depends on your actual use case, but you may "safely" use your image as well. From the cited docs again:

This flaw is rated as Moderate because code execution is limited to the web browser scope.

In fact, Red Hat itself provides similar images with the same problem.

Finally, if using Red Hat is not a strict requirement, you can choose another different Java distribution like OpenJDK or AdoptOpenJDK. For example:

docker pull openjdk:11.0.14.1-jdk