On Tue, Sep 17, 2024 at 10:46 AM Reinier Post <rp4...@gmail.com> wrote:
> On 2024/09/08 11:36:56 "Agranov, Andrey" wrote: > > Hello > > guacamole/guacamole:1.5.5 Docker image uses Tomcat 8.5.98, which has > several vulnerabilities, particularly CVE-2024-23672 and CVE-2024-24549 > > Both of vulnerabilities were fixed in Tomcat 8.5.99 > > What is the recommended way to get stable and tested image, with latest > Tomcat 8.5.X ? > > a. Wait for official guacamole 1.5.X release? When is it planned? > > b. Build an image based on 1.5.5 locally and upgrade Tomcat? > > c. Use guacamole/guacamole:latest ? Is it stable and suitable for > production? > > Thanks > > Andrey > > I just researched this issue (prompted by our security team) and found > this thread on the mailing list. > > It would be great to see this addressed. > > Tomcat 8.5.* went EOL on March 31: > > https://tomcat.apache.org/tomcat-85-eol.html > > The latest 8.5.* release, 8.5.100, was released before that. > So we should be using Tomcat 9.0.* now. > > Yes, agreed. > I am trying to deploy Guacamole in a supported manner. > The documentation offers two options: > > 1. compiling everything manually > 2. using the Docker image supplied > > Clearly, 1 is a no go in production environments. > Compiling everything manually is perfectly valid in production environments. You may not want to go that route, and that's fine, but there's nothing wrong with installing Guacamole that way. > We need to be able to remedy security issues swiftly. > We can't afford the time to manually recompile Guacamole for every > Guacamole server whenever needed. > > Compiling from source does not take very long - both client and server can be compiled in under 10 minutes on reasonable, modern hardware: guacd configure: 13s guacd make: 1m0s guacamole-client clean + build: 2m25s (VMware VM running Rocky 8 with 4 cores and 32GB of RAM) > 2 seems viable in principle, but it depends on everything being updated to > keep ahead of vulnerabilities. > Tomcat 8.5 is no longer receiving any. > > So we need an image with Tomcat 9.0. > I have looked at the existing image here > > > https://hub.docker.com/layers/guacamole/guacamole/latest/images/sha256-edd266c56accc3f432064ac409fb85c9e68c377a670f5cb150817189b0b024bf?context=explore > > and it is unclear where it gets its Tomcat from, let alone how to change > it. > > Please supply an image based on Tomcat 9. Better still, publish your image > definition in full so we can tweak it as desired. > > The "image definitions" (Dockerfile) are available as part of the source code in our public git repositories. Here's the Dockerfile for 1.5.5: https://github.com/apache/guacamole-client/blob/1.5.5/Dockerfile The next release, 1.6.0, will contain Tomcat 9: https://github.com/apache/guacamole-client/blob/staging/1.6.0/Dockerfile We'll supply the image containing Tomcat 9 when we release 1.6.0, hopefully in the next week or two. -Nick
