On Sun, Sep 8, 2024 at 7:37 AM Agranov, Andrey <andrey.agra...@honeywell.com.invalid> wrote:
> Hello > guacamole/guacamole:1.5.5 Docker image uses Tomcat 8.5.98, which has > several vulnerabilities, particularly CVE-2024-23672 and CVE-2024-24549 > Both of vulnerabilities were fixed in Tomcat 8.5.99 > What is the recommended way to get stable and tested image, with latest > Tomcat 8.5.X ? > a. Wait for official guacamole 1.5.X release? When is it planned? > b. Build an image based on 1.5.5 locally and upgrade Tomcat? > c. Use guacamole/guacamole:latest ? Is it stable and suitable for > production? > Thanks > Andrey > > Andrey, A couple of things, here: * First, when reporting issues that may involve vulnerabilities, please follow responsible disclosure practices and report to our security@ mailing list, which is a private list. See: https://guacamole.apache.org/security/. This particular case is a bit on the edge of that, since it isn't regarding an actual vulnerability in Guacamole, but, if in doubt, use the security list :-). * The answer to your question is "c" - the 1.5.5 tag represents a specific point-in-time, when 1.5.5 was released, and may contain components with vulnerabilities. The best practice is to use the "latest" tag (guacamole/guacamole:latest), which will be the latest released (stable, producion) version of Guacamole Client (still 1.5.5 at the moment), but may have some underlying components updated (like Tomcat). The same goes for the guacamole/guacd image. -Nick
