OracleLinux:8 docker image showing 4 High Vulnerabilities

[shikha-sri]

We are getting 4 High vulnerabilities in OracleLinux8 docker image -

"findings": [
{
"name": "ELSA-2021-9344",
"description": " ",
"uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "2.28-251.0.2.el8_10.1"
},
{
"key": "package_name",
"value": "glibc"
}
]
},
{
"name": "ELSA-2021-9344",
"description": " ",
"uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "2.28-251.0.2.el8_10.1"
},
{
"key": "package_name",
"value": "glibc-common"
}
]
},
{
"name": "ELSA-2021-9344",
"description": " ",
"uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "2.28-251.0.2.el8_10.1"
},
{
"key": "package_name",
"value": "glibc-langpack-en"
}
]
},
{
"name": "ELSA-2022-9564",
"description": " [ 1.8.5-7_fips] - Add API to provide hash calculation in RSA/DSA/ECDSA signature operations [Orabug: 33081130] - Change Epoch from 1 to 10 [1.8.5-7] - Fix CVE-2021-33560 (#2018525) ",
"uri": "https://linux.oracle.com/errata/ELSA-2022-9564.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "1.8.5-7.el8_6"
},
{
"key": "package_name",
"value": "libgcrypt"
}
]
},

Any lead would be really helpful.
Thanks!!

[tvierling]

All of these "findings" are for the FIPS or Ksplice versions of those packages which are not part of the standard OL8 images.

These are false positives. Please let your scanner vendor (you didn't mention what scanner you use here) know that this is a bug in their scanner.

I explained this to the Trivy project a couple years ago here: aquasecurity/trivy#1967 (comment)