Vulnerabilities found in Image [Help]:

[ancoleman]

Controller Version

v5.9

Describe Your Issue or Question

I recently stumbled upon your omada controller docker compose setup. Very nice! It works great. However, docker has enabled some new features for vulnerability scans against the image, and it's found some pretty critical ones.

I would post a screenshot but it's a pretty long list to cover. Have you noticed this?

It appears that the critical ones are associated with: RUN |2 ARCH=amd64 INSTALL_VER=5.9 /bin/sh -c /install.sh && /log4j_patch.sh && rm /install.sh /log4j_patch.sh # buildkit

Which is listed as having 81 vulnerabilities with 5 of them as Critical 1.

• commons-fileupload/commons-fileupload 1.3.1
• org.springframework.data/spring-data-mongodb 3.3.3
• org.apache.xmlbeans/xmlbeans 2.6.0
• org.apache.shiro/shiro-web 1.11.0
• com.monitorjbl/xlsx-streamer 1.2.1

Additionally in that same run, there are 10 high vulnerabilities.

Is this something you plan on evaluating to fix, or this an issue specifically with the omada application and how it's hosted?

Expected Behavior

Less vulnerabilities

Steps to Reproduce

n/a

How You're Launching the Container

n/a

Container Logs

n/a

Additional Context

Security Discussion

[mbentley]

Realistically, that's on TP-Link to fix as that's what they're packaging as a part of the software that they're providing. I can't safely test the apps with different libraries and support that, especially since I don't have the source code for the app.

[ancoleman]

I assumed it was mostly application vulnerabilities, rather than just build packages, but I wanted to at least bring the topic up.

[mbentley]

Yeah, so I do scan images that I build using trivy on a daily basis. I am only looking at the operating system level vulnerabilities because those are the ones that I can actually impact (outside of the exception of like the log4j vulnerabilities which I chose to patch).

Scan results are available here with an example of the 5.9 amd64 image being:

mbentley/omada-controller:5.9-amd64
  All - Total: 44 Unknown: 0 Low: 21 Medium: 23 High: 0 Critical: 0
  Fixed - Total: 0 Unknown: 0 Low: 0 Medium: 0 High: 0 Critical: 0

Basically I fix what is fixable.