[GeoNetwork-devel] Security scanning issue

Hi,

The below vulnerability came up when running our security scan on a docker deployment of 3.10.6

(attachments)

image003.png

···

#### CVE-2020-8492 in python2.7

Status:

Confirmed

Description:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Project:

XXXXXXXXXXXX

Identifiers:

CVE-2020-8492

Severity:

High

Scanner:

Container Scanning

Scanner Provider:

klar

Image:

XXXXXXXXXXXX

Namespace:

debian:10

Links:

https://security-tracker.debian.org/tracker/CVE-2020-8492

Edward Lewis PGradCert (Geostats), MGeol, MAusIMM

Standards Lead | Senior Geologist

p +44 (0)115 936 3385

m +44 (0)7487559371

e edlew@anonymised.com

t @GeologistEdd
w www.koalageo.rocks

w www.bgs.ac.uk

British Geological Survey | Nicker Hill | Keyworth | Nottingham NG12 5GG | UK

Hello Edd,

···


Vriendelijke groeten / Kind regards,

Juan Luis Rodríguez.


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Hi Juan,

Thanks for the update, pleased it nothing to be concerned with.

Cheers,

Edd

···

Hello Edd,

On Thu, Feb 11, 2021 at 5:48 PM Lewis, Edd <edlew@…1323…> wrote:

Hi,

The below vulnerability came up when running our security scan on a docker deployment of 3.10.6

#### CVE-2020-8492 in python2.7

Status:

Confirmed

Description:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Project:

XXXXXXXXXXXX

Identifiers:

CVE-2020-8492

Severity:

High

Scanner:

Container Scanning

Scanner Provider:

klar

Image:

XXXXXXXXXXXX

Namespace:

debian:10

Links:

https://security-tracker.debian.org/tracker/CVE-2020-8492

Thank you for your report. GeoNetwork is a Java web application and in the official image published at Docker Hub [1] it uses Tomcat 8.5 as the servlet container. Python is in the image as part of the base image and it isn’t used by Tomcat or the Java Virtual Machine so this vulnerability is not applicable/exploitable to a running GeoNetwork service.

However, as this is an official image, it is rebuilt when the base image or any of the images in the ancestors hierarchy is rebuilt so we can expect that as soon an official image with a patched version of Python is published in Docker hub, GeoNetwork image will be automatically rebuilt and this warning will disappear of your analyzing tool.

Regards,

Juan Luis.

[1] https://hub.docker.com/_/geonetwork

Vriendelijke groeten / Kind regards,

Juan Luis Rodríguez.


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.