On 2024/09/08 11:36:56 "Agranov, Andrey" wrote: > Hello > guacamole/guacamole:1.5.5 Docker image uses Tomcat 8.5.98, which has several vulnerabilities, particularly CVE-2024-23672 and CVE-2024-24549 > Both of vulnerabilities were fixed in Tomcat 8.5.99 > What is the recommended way to get stable and tested image, with latest Tomcat 8.5.X ? > a. Wait for official guacamole 1.5.X release? When is it planned? > b. Build an image based on 1.5.5 locally and upgrade Tomcat? > c. Use guacamole/guacamole:latest ? Is it stable and suitable for production? > Thanks > Andrey
I just researched this issue (prompted by our security team) and found this thread on the mailing list. It would be great to see this addressed. Tomcat 8.5.* went EOL on March 31: https://tomcat.apache.org/tomcat-85-eol.html The latest 8.5.* release, 8.5.100, was released before that. So we should be using Tomcat 9.0.* now. I am trying to deploy Guacamole in a supported manner. The documentation offers two options: 1. compiling everything manually 2. using the Docker image supplied Clearly, 1 is a no go in production environments. We need to be able to remedy security issues swiftly. We can't afford the time to manually recompile Guacamole for every Guacamole server whenever needed. 2 seems viable in principle, but it depends on everything being updated to keep ahead of vulnerabilities. Tomcat 8.5 is no longer receiving any. So we need an image with Tomcat 9.0. I have looked at the existing image here https://hub.docker.com/layers/guacamole/guacamole/latest/images/sha256-edd266c56accc3f432064ac409fb85c9e68c377a670f5cb150817189b0b024bf?context=explore and it is unclear where it gets its Tomcat from, let alone how to change it. Please supply an image based on Tomcat 9. Better still, publish your image definition in full so we can tweak it as desired. Of course I can roll my own, but as stated above, we'd like to use a supported deployment method, when available. -- Reinier Post TU Eindhoven
