Got it Thanks a lot From: Nick Couchman <nick.e.couch...@gmail.com> Sent: Sunday, 8 September 2024 15:40 To: user@guacamole.apache.org Cc: boike, shawn (He/Him/His) <shawn.bo...@honeywell.com> Subject: [External]Re: Vulnerabilities in Tomcat contained guacamole/guacamole:1.5.5 Docker image
You don't often get email from nick.e.couch...@gmail.com<mailto:nick.e.couch...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Caution: Be cautious of emails and links from free email domains such as Google and Yahoo. On Sun, Sep 8, 2024 at 7:37 AM Agranov, Andrey <andrey.agra...@honeywell.com.invalid<mailto:andrey.agra...@honeywell.com.invalid>> wrote: Hello guacamole/guacamole:1.5.5 Docker image uses Tomcat 8.5.98, which has several vulnerabilities, particularly CVE-2024-23672 and CVE-2024-24549 Both of vulnerabilities were fixed in Tomcat 8.5.99 What is the recommended way to get stable and tested image, with latest Tomcat 8.5.X ? a. Wait for official guacamole 1.5.X release? When is it planned? b. Build an image based on 1.5.5 locally and upgrade Tomcat? c. Use guacamole/guacamole:latest ? Is it stable and suitable for production? Thanks Andrey Andrey, A couple of things, here: * First, when reporting issues that may involve vulnerabilities, please follow responsible disclosure practices and report to our security@ mailing list, which is a private list. See: https://guacamole.apache.org/security/. This particular case is a bit on the edge of that, since it isn't regarding an actual vulnerability in Guacamole, but, if in doubt, use the security list :-). * The answer to your question is "c" - the 1.5.5 tag represents a specific point-in-time, when 1.5.5 was released, and may contain components with vulnerabilities. The best practice is to use the "latest" tag (guacamole/guacamole:latest), which will be the latest released (stable, producion) version of Guacamole Client (still 1.5.5 at the moment), but may have some underlying components updated (like Tomcat). The same goes for the guacamole/guacd image. -Nick
