nextgenhealthcare / connect-docker Goto Github PK

View Code? Open in Web Editor NEW

77.0 77.0 51.0 1.29 MB

Official Dockerfiles for Connect https://hub.docker.com/r/nextgenhealthcare/connect

License: Mozilla Public License 2.0

Dockerfile 2.93% Shell 20.18% Python 76.88%

connect-docker's People

Contributors

Stargazers

Watchers

connect-docker's Issues

Odd behavior with Admin GUI

We used the postgres-with-2-connect-servers-in-cluster.yml as a base to create ours (see below) with three containers. We access through the haproxy and odd behavior is noticeable in the Admin GUI. Channels will blink channels that we are working on changes... my Mirth Developer with a good bit of experience calls it "sketchy" or "glitchy" ... Noted this thread in the forums:

https://www.mirthcorp.com/community/forums/showthread.php?t=217676&highlight=haproxy

The only response was "use your HAProxy to Load Balance or whatever the INTERFACES... use the IP of the mirth engines to get to the admin interface separately - without the proxy in the way. "

So just how do you achieve that connection with mirth engines as docker containers using the admin GUI given they are behind the haproxy?

Best Regards,

Ric Cross

From da logs...
Running OpenJDK 64-Bit Server VM 11.0.6 on Linux (3.10.0-1062.18.1.el7.x86_64, amd64), mysql, with charset UTF-8.
Mirth Connect 3.8.1 (Built on September 12, 2019) server successfully started.

/opt/docker-volume/mirth-deploy.yaml
version: '3.3'
services:
mc1:
image: XXXXX/connect:latest
environment:
DATABASE: mysql
DATABASE_URL: 'jdbc:mysql://10.11.11.11:3306/env_mirth'
DATABASE_MAX_CONNECTIONS: 30
DATABASE_USERNAME: env_mirth
DATABASE_PASSWORD: 'NunYaBusiness'
KEYSTORE_STOREPASS: 'docker_storepass'
KEYSTORE_KEYPASS: 'docker_keypass'
SESSION_STORE: 'true'
VMOPTIONS: -Xmx512m
SERVER_URL: mirth.XXXXX.com
volumes:
- '/opt/docker-volume/mirthappdata1:/opt/connect/appdata'
- '/opt/docker-volume/mirthdata:/opt/connect/mirth-data'
- '/etc/localtime:/etc/localtime:ro'
expose:
- 8080
- 8443
- 9001
ports:
- 8441:8443/tcp

mc2:
image: XXXXX/connect:latest
environment:
DATABASE: mysql
DATABASE_URL: 'jdbc:mysql://10.11.11.11:3306/env_mirth'
DATABASE_MAX_CONNECTIONS: 30
DATABASE_USERNAME: env_mirth
DATABASE_PASSWORD: 'NunYaBusiness'
KEYSTORE_STOREPASS: 'docker_storepass'
KEYSTORE_KEYPASS: 'docker_keypass'
SESSION_STORE: 'true'
VMOPTIONS: -Xmx512m
SERVER_URL: mirth.XXXXX.com
volumes:
- '/opt/docker-volume/mirthappdata2:/opt/connect/appdata'
- '/opt/docker-volume/mirthdata:/opt/connect/mirth-data'
- '/etc/localtime:/etc/localtime:ro'
expose:
- 8080
- 8443
- 9001
ports:
- 8442:8443/tcp

mc3:
image: XXXXX/connect:latest
environment:
DATABASE: mysql
DATABASE_URL: 'jdbc:mysql://10.11.11.11:3306/env_mirth'
DATABASE_MAX_CONNECTIONS: 30
DATABASE_USERNAME: env_mirth
DATABASE_PASSWORD: 'NunYaBusiness'
KEYSTORE_STOREPASS: 'docker_storepass'
KEYSTORE_KEYPASS: 'docker_keypass'
SESSION_STORE: 'true'
VMOPTIONS: -Xmx512m
SERVER_URL: mirth.XXXXX.com
volumes:
- '/opt/docker-volume/mirthappdata3:/opt/connect/appdata'
- '/opt/docker-volume/mirthdata:/opt/connect/mirth-data'
- '/etc/localtime:/etc/localtime:ro'
expose:
- 8080
- 8443
- 9001
ports:
- 8443:8443/tcp

haproxy:
image: haproxy
ports:
- 28080:8080/tcp
- 28443:8443/tcp
- 29001:9001/tcp
volumes:
- '/opt/docker-volume/haproxy:/usr/local/etc/haproxy:ro'
depends_on:
- mc1
- mc2
- mc3

/opt/docker-volume/haproxy/haproxy.cfg
defaults
mode tcp
option log-health-checks
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000
backend mcserver-http
balance roundrobin
server mc1-http mc1:8080 check
server mc2-http mc2:8080 check
server mc3-http mc3:8080 check
frontend mc-http
bind *:8080
default_backend mcserver-http
backend mcserver-https
balance roundrobin
server mc1-https mc1:8443 check
server mc2-https mc2:8443 check
server mc3-https mc3:8443 check
frontend mc-https
bind *:8443
default_backend mcserver-https
backend mcserver-9001
balance roundrobin
server mc1-9001 mc1:9001 check
server mc2-9001 mc2:9001 check
server mc3-9001 mc3:9001 check
frontend mc-9001
bind *:9001
default_backend mcserver-9001

EXTENSIONS_DOWNLOAD overwrite extension

With the EXTENSIONS_DOWNLOAD variable configured, when a restart is performed, the service does not start because it tries to download and overwrite the extensions. Recommendation: Add the -o option in /entrypoint.sh line 230.
from
for f in /tmp/userextensions/*.zip; do unzip "$f" -d /opt/connect/extensions; done
to
for f in /tmp/userextensions/*.zip; do unzip "$f" -d -o /opt/connect/extensions; done

Entrypoint.sh not respecting JAVA_TOOL_OPTIONS

Hi I m trying to start Mirth with JAVA_TOOL_OPTIONS='-XX:MinRAMPercentage=50.0 -XX:MaxRAMPercentage=90.0' but if I do so then I am getting these errors

No suitable Java Virtual Machine could be found on your system.
The version of the JVM must be at least 1.8.
Please define INSTALL4J_JAVA_HOME to point to a suitable JVM.

My guess is JAVA_TOOL_OPTIONS and VMOPTIONS are mutually exclusive, but I am not a Java expert. For sure I don't want to be limited by Xmx setting limitations in multiples of 1024 hence trying -XX:MaxRAMPercentage

DATABASE_PASSWORD with ampersand breaks mirth.properties

If your DATABASE_PASSWORD includes an ampersand (&), the sed command that puts the password into the mirth.properties file messes up the file:

$ echo $DATABASE_PASSWORD
at&t
$ echo "database.password=blah" | sed "s/^database\.password\s*=\s*.*\$/database.password = ${DATABASE_PASSWORD//\//\\/}/"
database.password = atdatabase.password=blaht

The ampersand needs to be escaped. In my experimentation, this SO answer looks to offer a good solution. So that section of entrypoint.sh would look like:

if ! [ -z "${DATABASE_PASSWORD+x}" ]; then
        escaped_password=$(sed 's/[&/\]/\\&/g' <<<"$DATABASE_PASSWORD")
	sed -i "s/^database\.password\s*=\s*.*\$/database.password = ${escaped_password}/" /opt/connect/conf/mirth.properties
fi

Edit: A cleaner way may be to use full line replacement (/pattern to match/c replace full line with this) like this:

if ! [ -z "${DATABASE_PASSWORD+x}" ]; then
	sed -i "/^database\.password\s*=/c database.password = ${DATABASE_PASSWORD}" /opt/connect/conf/mirth.properties
fi

Setting up connect docker image on kubernetes sending data to channel generates HTTP 404

This is our first attempt at using the connect docker image on kubernetes and have hit an issue where connect is returning 404 when trying to send data to a channel.

The error seen is...
[error] 1530#1530: *28276600 connect() failed (111: Connection refused) while connecting to upstream, client: 90.200.224.195, server: nextgen-connect-dev.mydomain.com, request: "GET /UpdateExternalPrimaryIdentifier HTTP/2.0", upstream: "http://10.105.0.75:22223/", host: "nextgen-connect-dev.mydomain.com"

The http url connect is using is nextgen-connect-dev.mydomain.com, my feeling is that this is the problem that is causing the 404 as that url essentially terminates at the NGINX controller and the message is passed to the connect pod/container using DNS and so is using http://Pod-IP-address:22223 and so really the http url should be localhost?

I've included the manifest files in use below, so that hopefully someone can spot a glaring error I've missed and the problem will do away.

Thanks in advance for any help resolving this.

Deployment manifest
apiVersion: apps/v1 kind: Deployment metadata: labels: service: mirth-connect name: mirth-connect spec: replicas: 1 selector: matchLabels: service: mirth-connect strategy: {} template: metadata: labels: service: mirth-connect spec: containers: - image: docker.io/nextgenhealthcare/connect imagePullPolicy: IfNotPresent name: mirth-connect ports: - containerPort: 8443 - containerPort: 22225 - containerPort: 22223 env: - name: DATABASE value: sqlserver - name: DATABASE_URL value: dbconnection - name: DATABASE_USERNAME value: user - name: DATABASE_PASSWORD value: pass resources: limits: cpu: 150m memory: 350Mi requests: cpu: 100m memory: 250Mi restartPolicy: Always status: {}
service manifest
apiVersion: v1 kind: Service metadata: labels: service: mirth-connect name: mirth-connect namespace: development spec: type: ClusterIP ports: - name: "adminui" protocol: TCP port: 8083 targetPort: 8443 - name: "pathology" protocol: TCP port: 22225 - name: "primaryid" protocol: TCP port: 22223 selector: service: mirth-connect status: loadBalancer: {}
SSL ingress manifest
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-mirth-connect annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: ingressClassName: nginx tls: - hosts: - "nextgen-connect-dev.mydomain.com" secretName: ingress-cert-secret rules: - host: "nextgen-connect-dev.mydomain.com" http: paths: - pathType: Prefix path: "/" backend: service: name: mirth-connect port: number: 8083
Channels ingress manifest
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-mirth-connect-channels annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx tls: - hosts: - "nextgen-connect-dev.mydomain.com" secretName: ingress-cert-secret rules: - host: "nextgen-connect-dev.mydomain.com" http: paths: - path: /UpdateExternalPrimaryIdentifier pathType: Prefix backend: service: name: mirth-connect port: number: 22223 - path: /SavePathologyResults pathType: Prefix backend: service: name: mirth-connect port: number: 22225

Class path contains multiple SLF4J bindings.

Hello,

When we redeploy the image on kubernetes cluster we recieve the below msg and server not starting.

ERROR 2022-07-28 10:06:37,189 [Main Server Thread] Server: SLF4J: Class path contains multiple SLF4J bindings.
Thu, Jul 28 2022 12:06:37 pm | ERROR 2022-07-28 10:06:37,190 [Main Server Thread] Server: SLF4J: Found binding in [jar:file:/opt/connect/server-lib/donkey/slf4j-log4j12-1.7.28.jar!/org/slf4j/impl/StaticLoggerBinder.class]
Thu, Jul 28 2022 12:06:37 pm | ERROR 2022-07-28 10:06:37,191 [Main Server Thread] Server: SLF4J: Found binding in [jar:file:/opt/connect/custom-lib/activemq-all-5.15.12.jar!/org/slf4j/impl/StaticLoggerBinder.class]
Thu, Jul 28 2022 12:06:37 pm | ERROR 2022-07-28 10:06:37,191 [Main Server Thread] Server: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
Thu, Jul 28 2022 12:06:37 pm | ERROR 2022-07-28 10:06:37,195 [Main Server Thread] Server: SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]

Unable to start the container on GCP

I am unable to use the container on through GCP's Cloud Run, with an error failed to start and then listen on the port defined by the PORT=8080 environment variable. I tried providing the 8443 instead, which also failed.

[BUG] Issue with docker image taking complete jdbc url with two or more extra properties from environment variable

Describe the bug
When passing Mysql jdbc url with SSL and multiple properties as environment variable into kubernetes pod/docker container, the server has trouble taking that url value into db connection. When using this inside mirth.properties file it works correctly.

To Reproduce
To reproduce one would simply add jdbc url like this jdbc:mysql://<some_ip_name>:3306/mirth?useSSL=true&enabledTLSProtocols=TLSv1.2&serverTimezone=UTC into the DATABASE_URL environment variable when starting a docker container/pod

Expected behavior
Expected behavior is to have mirth use full jdbc url correctly and be able to connect to DB like it does using mirth.properties

Actual behavior
I get different exceptions depending on how many of these extra properties are there. For example if url is like mentioned above then exception is like this:

Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at java.base/sun.security.ssl.HandshakeContext.<init>(Unknown Source)

if url is like this: jdbc:mysql://<some_ip>:3306/mirth?enabledTLSProtocols=TLSv1.2

the exception will be this:

ERROR 2021-10-15 21:11:17,176 [Main Server Thread] com.mirth.connect.server.Mirth: Error establishing connection to database, retrying startup in 10000 milliseconds
com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: The server time zone value 'Coordinated Universal Time' is unrecognized or represents more than one time zone. You must configure either the server or JDBC driver (via the serverTimezone configuration property) to use a more specifc time zone value if you want to utilize time zone support.
        at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:512)

This is expected because yes it really needs that time zone property but when they're both or more set in url nothing takes in effect

Screenshots
N/A

Environment (please complete the following information):

Connect Version [e.g. 3.12.0]
Azure Kubernetes Service

Workaround(s)
We are evaluating if it would be possible for the time being to hard code mirth.properties file into mirth docker image. This is less than ideal by far.

One other work around that I noticed is we can put \\ in front of the & and that seems to do the trick. So for example:

jdbc:mysql://<some_ip>:3306/mirth?enabledTLSProtocols=TLSv1.2\\&serverTimezone=UTC

I can confirm this works but this should be fixed ideally.

Additional context
The problem seems to be happening only when passing url as environment variable to docker and only when there are multiple extra properties to set.

Custom SSL Certificate issue.

I dont see any issue with the self signed ssl cert provided with mirthconnect docker image. but when i replace it with my custom ssl certs, following the instructions as explained here (https://www.youtube.com/watch?v=JveEJuz0dPc.).
The Login does not happen, it says invalid credentials. The admin/admin credentials also did not work.

I had the pfx file and I used Portecle to add the pfx file to the keystore with the mirthconnect alias following the video. After landing at the mirthconnect login page, the Browser shows the right certificate. .After this, I am unable to login with any user. The admin/admin credentials also did not work.

After this i reverted back the keystore with the self signed mirth Keystore which i backed up earlier,. it works fine. Please Help !! Thanks in Advance.

CVE-2022-3358 OpenSSL High finding

Scan Performed by Tenable.IO

Deployed in AWS GovCloud
Base OS RHEL 8.8

Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Container locations found at
/var/lib/docker/overlay2/2c8b674dbcaeba17980b1e73ffbca5b22ddff4bbb2ec5a99d2eb39065e8fd5a5/diff/usr/bin/openssl
/var/lib/docker/overlay2/bd5700efed7d6206a58c205213a9d5205ac42759343c8a0f0975fba197057f85/merged/usr/bin/openssl
/var/lib/docker/overlay2/3f7d8dcc7c2f2c95be10b79b32cef72d6524b5a263a2e74b02d11363e5be755f/diff/usr/bin/openssl
/var/lib/docker/overlay2/56a86609a5c358b00335308a359f1488f072a6334a2581efff2500ec3ef757ee/diff/usr/bin/openssl
/var/lib/docker/overlay2/c4e78ad6d7d8cc176098872c6bacea5353bf9de0df17865d3b09ba7b439931c2/merged/usr/bin/openssl

The version of OpenSSL installed on the remote host is prior to 3.0.6. It is, therefore, affected by a vulnerability as referenced in the 3.0.6 advisory.

OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers.
This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext.
Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). (CVE-2022-3358)

Risk Information
RISK FACTOR
High
CVSS BASE SCORE
7.8
CVSS TEMPORAL SCORE
5.8
CVSS VECTOR
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
7.5
CVSS3 TEMPORAL SCORE
6.5
CVSS3 VECTOR
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
09/28/2022 at 5:00 PM
EXPLOITABILITY
PATCH PUBLISHED
09/28/2022 at 5:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE
CVE-2022-3358
IAVA
2022-A-0415-S

Setting _MP_DATABASE__READONLY_URL fails with malformed JDBC connection string

Setting the environment variable _MP_DATABASE__READONLY_URL results in a malformed JDBC connection string in mirth.properties as forward slashes are escaped when being parsed by entrypoint.sh

_MP_DATABASE__READONLY_URL=jdbc:postgresql://db.hostname.example.com:5432/mirthdb
becomes
database-readonly.url = jdbc:postgresql:\\/\\/db.hostname.example.com:5432\\/mirthdb

Removing the toothpicks from ${VALUE} in a custom image fixed the issue for me
sed -i "s/^${ESCAPED_KEY}\s*=\s*.*\$/${ACTUAL_KEY} = ${VALUE//\//\\/}/" /opt/connect/conf/mirth.properties
to
sed -i "s/^${ESCAPED_KEY}\s*=\s*.*\$/${ACTUAL_KEY} = ${VALUE}/" /opt/connect/conf/mirth.properties

JDK CVE-2023-22036, CVE-2023-22041 and CVE-2023-22043

Describe the security issue
Security Scan from. Tenable.IO is reporting these three CVE's for OpenJDK bundled within Mirth 4.3.0, GHSA-mw33-48wm-m4r2, GHSA-rgxf-494f-377c and GHSA-grjf-4ggg-f6cm.

Vulnerability Location
This is the OpenJDK image used for Mirth

Environment (please complete the following information if it is applicable to the issue)

OS: Docker
Java Distribution/Version OpenJDK 17.0.6
Connect Version 4.3.0
Suggested remediation
Upgrade OpenJDK to 17.0.8 or greater

Additional context

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. (GHSA-mw33-48wm-m4r2)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (GHSA-rgxf-494f-377c)

Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. (GHSA-grjf-4ggg-f6cm)

Exploitability Information
EXPLOIT AVAILABLE
True
EXPLOIT EASE
Exploits are available

Risk Information
RISK FACTOR
Medium
CVSS BASE SCORE
5.4
CVSS TEMPORAL SCORE
4.2
CVSS VECTOR
AV:N/AC:H/Au:N/C:N/I:C/A:N
CVSS TEMPORAL VECTOR
E:POC/RL:OF/RC:C
CVSS3 BASE SCORE
5.9
CVSS3 TEMPORAL SCORE
5.3
CVSS3 VECTOR
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS3 TEMPORAL VECTOR
E:P/RL:O/RC:C
IVAM SEVERITY
I

Path : /var/lib/docker/overlay2/e6cd599ca96af456509de813299cf0dbaa6c57eafca4a31a5ffd7ac040260dc7/diff/opt/java/openjdk/
Installed version : 17.0.6
Fixed version : Upgrade to version 17.0.8 or greater

Path : /var/lib/docker/overlay2/29ece69f535e91d11e8e7abe1f783d8c937e7b1b6d29781f46ec8e72ddd3a453/merged/opt/java/openjdk/
Installed version : 17.0.6
Fixed version : Upgrade to version 17.0.8 or greater

is the output

Unable to run 2 containers side by side

Hello,

Trying to use the nextgenhealthcare/connect image on docker.
Unfortunately I am not able to run 2 different containers side by side on the same machine.
I tried with
docker run --name Mirth1 -d -p 8443:8443 nextgenhealthcare/connect
docker run --name Mirth2 -d -p 8444:8444 nextgenhealthcare/connect
And also with docker-compose

version: "3"
services:
"1":
image: nextgenhealthcare/connect
ports:
- 8080:8080/tcp
- 8443:8443/tcp

    "2":
            image: nextgenhealthcare/connect
            ports:
                    - 8081:8081/tcp
                    - 8444:8444/tcp

Both containers are running but only 1 is accessible.
When I have a look at the running containers and their ports, it looks like the connect image always adds the 8443/tcp as additional port to the second container:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 357d322fea21 nextgenhealthcare/connect "/entrypoint.sh ./mc…" 10 seconds ago Up 8 seconds 0.0.0.0:8081->8081/tcp, 0.0.0.0:8444->8444/tcp, 8443/tcp mirth_2_1 13f562a8c373 nextgenhealthcare/connect "/entrypoint.sh ./mc…" 10 seconds ago Up 9 seconds 0.0.0.0:8080->8080/tcp, 0.0.0.0:8443->8443/tcp mirth_1_1

Any advice on how I can run multiple connect containers on the same docker installation?

Thanks!!

Why is mccommand getting removed?

first of all I'm not a mirth/nextgen connect expert at all ;)

But my question is why is mccommand removed during image build?

RUN rm -rf cli-lib manager-lib \
    && rm mirth-cli-launcher.jar mirth-manager-launcher.jar mccommand mcmanager

Background:

I wanted to import channel configuration and wanted to try it out if one can import channels with it. Otherwise one has to write an ugly wrapper script around mcserver to do some curls which don't seem that safe or are coupled with more hassle.

If you have a better Idea how to automatically import/create stuff after first startup of mirth can be done, please let me know!

KEYSTORE_TYPE environment variable replacement bug

The entrypoint script is replacing keystore.type in mirth.properties incorrectly. The replacement has:

sed -i "s/^keystore\.keypass\s*=\s*.*\$/keystore.type = ${KEYSTORE_TYPE//\//\\/}/" /opt/connect/conf/mirth.properties

but it should be:

sed -i "s/^keystore\.type\s*=\s*.*\$/keystore.type = ${KEYSTORE_TYPE//\//\\/}/" /opt/connect/conf/mirth.properties

How to set configurationmap.location = database from a kubernetes manifest

I have a mirth container stood up in kubernetes, and have managed using the deployment manifest file to setup database access, but I am not able to do the same with the configuration.properties file. From research I understand that the configuration.properties can be persisted in the database, but I'm unable to find how to pass that setting in the kubernetes deployment manifest. Any pointers on how I might acheive passing this setting would be gratefully appreciated.

log4j.properties updates from entrypoint.sh

Can the log4j.properties values be updated in a similar way to the _MP__ variables? This would require an update to the entrypoint.sh file which would be better here than in a local repository. If I work on the changes and get them ready would that be acceptable?
Thanks
Paul.

Vulnerability mirth nextgenhealthcare/connect:latest

Hey,
I scanned the image with the trivy tool and got a lot of vulnerabilities. Do you intend to remove it in the near future?

2024-06-18-nextgenhealthcare-connect-4_5_0.trivy.log

Update Docker image to use latest Alpine Linux base image

It has recently come to our attention that our Docker images are not being built on the latest, stable OS version that it could be. We are using Azul Zulu and have been expecting that it will grab the latest and greatest version of Alpine Linux. It is actually using Alpine Linux v3.15. This is causing a large number of security issues (CVEs) to appear on security scans run by users when they use our Docker images.

We will update our image to use the latest Alpine Linux base image with the Zulu JDK installed on it.

Multi-platform images

docker image inspect shows "Architecture": "amd64". This appears to cause issues with Apple M1 hosts. Could the image be built via buildx for both linux/amd64 and linux/arm64 platforms as described in Docker's multi platform image instructions?

Entrypoint.sh Problems

Plugins zip file does not overwrite existing plugins. If I restart my container that has existing plugins loaded the container trys to reinstall them and errors because the plugins already exists.

Code:

if [ $zipFileCount != 0 ]; then
	echo "Unzipping contents of /tmp/userextensions/ zips into /opt/connect/extensions"
	for f in /tmp/userextensions/*.zip; do unzip "$f" -d /opt/connect/extensions; done
	# removing the downloaded zip file
	rm -rf /tmp/userextensions
fi

Error:

Unzipping contents of /tmp/userextensions/ zips into /opt/connect/extensions
Archive:  /tmp/userextensions/alert-3.12.0.b2324.zip
replace /opt/connect/extensions/alert/alert-client.jar? [y]es, [n]o, [A]ll, [N]one, [r]ename:  NULL
(EOF or read error, treating as "[N]one" ...)

Also, if anything fails inside the IF STATEMENT, then the command rm -rf /tmp/userextensions fails and subsequent runs cause an error because the entry point script runs command, mkdir /tmp/userextensions and fails because it already exists.

[IDEA] set server.id with environment variable

Normally a unique server id is generated the first time a container starts. In an environment with ephemeral containers, each restart of the service will use a different server id.

Queued messages are associated to a server id. If a server is shut down while messages are still queued, the queued messages will not be processed when the service restarts if the new container does not have the same server id.

The paid Advanced Clustering extension handles this situation, but in a single node setup where the extension is not being used, this is a problem.

Keeping the file in a volume or bind mounting it could be a workaround, but most other settings are now configurable through environment variables without involving persistent storage.

Update of openssl in Dockerfile

Hi All,
I appreciate very much your great progress in developing mirth-connect.
I would suggest to update the openssl (v3.1.3 -> 3.1.4) in Dockerfile. At the same time I would put the downloaded source files of openssl in a folder different from the root folder.
László

How to start a connect container with pre-configured channels?

nextgenhealthcare/connect works great so far, I have started the container with some open TCP-Ports, changed the password and deployed some channels to receive HL7v2 messages over MLLP.

docker run \
  --name hl7-connect \
  --link hl7-postgres:postgres\
  --restart=unless-stopped \
  -p 8080:8080 \
  -p 8443:8443 \
  -p 7000-7100:7000-7100 \
  --env DATABASE=postgres \
  --env DATABASE_URL=jdbc:postgresql://hl7-postgres:5432/db \
  --env DATABASE_MAX_CONNECTIONS=20 \
  --env DATABASE_USERNAME=db \
  --env DATABASE_PASSWORD=db \
  --env VMOPTIONS=-Xmx512m \
  -d nextgenhealthcare/connect

Now with everything stable, I would like to automate the full configuration and start of connect and the channels. What's the best practice to do this programatically when starting a new container?

Change user/pass used to connect with the GUI
Import channels from XML file
Deploy and start the channels

[Security] Switch base image for multiple builds

The openjdk docker images are deprecated. See https://hub.docker.com/_/openjdk

https://hub.docker.com/_/adoptopenjdk has also been deprecated in favor of https://hub.docker.com/_/eclipse-temurin/. This image has not been updated in a year.

MySQL fails on all alpine builds with segmentaion fault (works in debain builds)

To reproduce:

Run the MySQL with volumes example compose file (from the examples folder of this repo)
Note that it starts up ad runs fine, and that the web interface is avaiable
Now change the tag for mc->image: to :3.9-zulu-alpine
re-run the compose file (docker-compose up again)
Note that erors are thrown on the console, the web interface is not available and the container shuts down after a minute or so

Expected behaviour:

The alpine based image starts up exactly the same as the debian based image

Error log:

The relevant lines are:

mc_1  | /entrypoint.sh: line 197:    88 Done                    echo $dbpassword
mc_1  |         89 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1

The full log is:

db_1  | 2020-06-23 11:02:58+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.20-1debian10 started.
db_1  | 2020-06-23 11:02:58+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
db_1  | 2020-06-23 11:02:58+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.20-1debian10 started.
db_1  | 2020-06-23T11:02:58.509289Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
db_1  | 2020-06-23T11:02:58.509428Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20) starting as process 1
db_1  | 2020-06-23T11:02:58.529856Z 1 [System] [MY-011012] [Server] Starting upgrade of data directory.
db_1  | 2020-06-23T11:02:58.529972Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db_1  | 2020-06-23T11:02:58.636866Z 1 [ERROR] [MY-012530] [InnoDB] Unknown redo log format (104). Please follow the instructions at http://dev.mysql.com/doc/refman/8.0/en/ upgrading-downgrading.html.
db_1  | 2020-06-23T11:02:58.637040Z 1 [ERROR] [MY-012930] [InnoDB] Plugin initialization aborted with error Generic error.
mc_1  | trying to connect to mysql
mc_1  | /entrypoint.sh: line 197:    79 Done                    echo $dbpassword
mc_1  |         80 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
db_1  | 2020-06-23T11:02:59.075596Z 1 [ERROR] [MY-011013] [Server] Failed to initialize DD Storage Engine.
db_1  | 2020-06-23T11:02:59.075982Z 0 [ERROR] [MY-010020] [Server] Data Dictionary initialization failed.
db_1  | 2020-06-23T11:02:59.076297Z 0 [ERROR] [MY-010119] [Server] Aborting
db_1  | 2020-06-23T11:02:59.076956Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.20)  MySQL Community Server - GPL.
portainertemplatetest_db_1 exited with code 1
mc_1  | /entrypoint.sh: line 197:    82 Done                    echo $dbpassword
mc_1  |         83 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
mc_1  | /entrypoint.sh: line 197:    85 Done                    echo $dbpassword
mc_1  |         86 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
mc_1  | /entrypoint.sh: line 197:    88 Done                    echo $dbpassword
mc_1  |         89 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
mc_1  | /entrypoint.sh: line 197:    91 Done                    echo $dbpassword
mc_1  |         92 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
mc_1  | /entrypoint.sh: line 197:    94 Done                    echo $dbpassword
mc_1  |         95 Segmentation fault      | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1

How to change default 8080 and 8043 ports?

We are trying to do it:

8083:8080/tcp
8044:8043/tcp

kentra.mirthconnect | ERROR 2020-05-03 19:20:01,116 [Main Server Thread] com.mirth.connect.server.Mirth: http.port port is already in use: 8080
kentra.mirthconnect | ERROR 2020-05-03 19:20:01,117 [Main Server Thread] com.mirth.connect.server.Mirth: https.port port is already in use: 8443

At the host, ports 8080 and 8043 are not available. How can we solve this issue? Any hint?
Thanks

Current `VMOPTIONS` does not allow for JVM options using commas

I'd like to add a vmoption to enable Remote JVM debugging, but the current implementation of comma-separating the option is not compatible with this.
Remote JVM debugging is enabled with the single vmoption of -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005, but the current entryscript.sh implementation splits this into four distinct parts.

There are two approaches to solving issue:

Mount a custom mcserver_base.vmoptions file with the above mentioned vmoption to which entrypoint.sh appends the specified options from VMOPTIONS env.
- I consider this as a hacky workaaround rather than a solution
Add a new env variable to the Dockerfile with a different, less common, delimiter (\n for example). In my mind the new env is needed to maintain backwards compatibility with earlier versions.

CVE-2022-1473, CVE-2022-1434, CVE-2022-1343, and CVE-2022-1292 OpenSSL Critical Finding

Scan Performed by Tenable.IO

Deployed in AWS GovCloud
Base OS RHEL 8.8

Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

CVE-2022-1473, CVE-2022-1434, CVE-2022-1343, CVE-2022-1292

The version of OpenSSL installed on the remote host is prior to 3.0.3. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.3 advisory.

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service.
Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). (CVE-2022-1473)
The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key.
This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in- the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first.
Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). (CVE-2022-1434)
The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL ocsp application. When verifying an ocsp response with the
-no_cert_checks option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). (CVE-2022-1343)
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.
Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).
Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)

Risk Information
RISK FACTOR
Critical
CVSS BASE SCORE
10.0
CVSS TEMPORAL SCORE
7.4
CVSS VECTOR
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
9.8
CVSS3 TEMPORAL SCORE
8.5
CVSS3 VECTOR
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
05/02/2022 at 5:00 PM
EXPLOITABILITY
PATCH PUBLISHED
05/02/2022 at 5:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE
CVE-2022-1473, CVE-2022-1434, CVE-2022-1343, CVE-2022-1292
IAVA
2022-A-0186-S

Offline Licensing of Mirth in a docker container

Is there a plan to support offline licensing for Mirth in a docker container distributed into a Kubernetes cluster?
Thanks

CVE-2022-2068 - OpenSSL Critical finding

Scan Performed by Tenable.IO

Deployed in AWS GovCloud
Base OS RHEL 8.8

Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2068

Finding -
The version of OpenSSL installed on the remote host is prior to 3.0.4. It is, therefore, affected by a vulnerability as referenced in the 3.0.4 advisory.

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)

Risk Information
RISK FACTOR
Critical
CVSS BASE SCORE
10.0
CVSS TEMPORAL SCORE
7.4
CVSS VECTOR
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
9.8
CVSS3 TEMPORAL SCORE
8.5
CVSS3 VECTOR
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
06/20/2022 at 5:00 PM
EXPLOITABILITY
PATCH PUBLISHED
06/20/2022 at 5:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE
CVE-2022-2068
IAVA
2022-A-0257-S

MySQL is unavailable. Aborting.

I can't get Connect to run with MySQL (Ran great before without mysql). For some reason the connect container can't connect to mysql, although other containers (like Adminer/ phpmyadmin) can, with the hostname connectdb. With the image 3.8.1 I am getting:

connect_1 | trying to connect to mysql
connect_1 | MySQL is unavailable. Aborting.

With the image 3.8.1-zulu-alpine-jdk I am getting:

connect_1 | /entrypoint.sh: line 192: 215 Done echo $dbpassword
connect_1 | 216 Segmentation fault | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
connect_1 | /entrypoint.sh: line 192: 218 Done echo $dbpassword
connect_1 | 219 Segmentation fault | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1
connect_1 | MySQL is unavailable. Aborting.
smart-or-data-broker_connect_1 exited with code 1

Seems like the information from my env file is not passed into connect? With all other containers in the same docker-compose.yml it works well

However even without the env file, running e.g. "docker run --name connect -p 8443:8443 -e DATABASE='mysql' -e DATABASE_URL='jdbc:mysql://connectdb:3306/mirthdb' nextgenhealthcare/connect:3.8.1-zulu-alpine" produces the same error. I know the password and so on are missing, however the host and port are not found either:

219 Segmentation fault | mysql -h "$dbhost" -p -P "$dbport" -u "$dbusername" -e 'SHOW DATABASES' > /dev/null 2>&1

My docker-compose looks like this:

 connect:
    image: nextgenhealthcare/connect:3.8.1
    ports:
      - 8443:8443/tcp
      - 6554:6554/tcp
    environment:
      - DATABASE=mysql
      - DATABASE_URL=jdbc:mysql://connectdb:3306/mirthdb
      - DATABASE_MAX_CONNECTIONS=20
      - DATABASE_USERNAME=root
      - DATABASE_PASSWORD=${DB_ROOT_PASSWORD}
    volumes:
      - ./connect/appdata:/opt/connect/appdata
  connectdb:
    image: mysql:8
    restart: always
    volumes:
      - ./connectdb/lib/mysql:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
      - MYSQL_DATABASE=mirthdb
      - MYSQL_USER=${DB_USER}
      - MYSQL_USER_PASSWORD=${DB_USER_PASSWORD}
    ports: 
      - 3306:3306/tcp

CVE-2022-3786 and CVE-2022-3602 OpenSSL High Finding

Scan Performed by Tenable.IO

Deployed in AWS GovCloud
Base OS RHEL 8.8

Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The version of OpenSSL installed on the remote host is prior to 3.0.7. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.7 advisory.

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. (CVE-2022-3786)
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server.
In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. (CVE-2022-3602)

Risk Information
RISK FACTOR
High
CVSS BASE SCORE
7.8
CVSS TEMPORAL SCORE
5.8
CVSS VECTOR
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
7.5
CVSS3 TEMPORAL SCORE
6.5
CVSS3 VECTOR
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
10/31/2022 at 5:00 PM
EXPLOITABILITY
PATCH PUBLISHED
10/31/2022 at 5:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE
CVE-2022-3786, CVE-2022-3602
IAVA
2022-A-0452-S

Why is a specific temurin patch release version specified and not just the latest 17?

Why is the container built from a specific patch release of Temurin 17 and not just the latest patch?

eclipse-temurin:17.0.6_10-jre could just be eclipse-temurin:17-jre and always pull the latest patch release right?

Mirth does not start up on Apple M1

Mirth does not start up on Apple M1. It either throws the following error or just hangs:

# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGILL (0x4) at pc=0x0000004017c7a324, pid=1202, tid=1759
#
# JRE version: OpenJDK Runtime Environment 18.9 (11.0.8+10) (build 11.0.8+10)
# Java VM: OpenJDK 64-Bit Server VM 18.9 (11.0.8+10, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# J 459 c1 java.util.zip.ZipFile.ensureOpen()V [email protected] (40 bytes) @ 0x0000004017c7a324 [0x0000004017c7a300+0x0000000000000024]
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /opt/connect/hs_err_pid1202.log
Could not load hsdis-amd64.so; library not loadable; PrintAssembly is disabled
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#
qemu: uncaught target signal 6 (Aborted) - core dumped

It will be useful to build an arm64 specific docker container that can be used on Apple M1 machines.

Postgresql JDBC Driver CVE-2022-41946

Describe the security issue
Security scans utilizing Tenable.io and Nessus Pro keep reporting [https://github.com/advisories/GHSA-562r-vg33-8x8h]

Vulnerability Location
This is in the main codebase with the docker image

Environment (please complete the following information if it is applicable to the issue)

OS: docker
Java Distribution/Version OpenJDK 17.0.6
Connect Version 4.3
Suggested remediation
Recommendation is to update the driver to 42.2.27 or greater

Additional context
The remote host contains a version of PostgreSQL JDBC Driver that is 42.2.x prior to 42.2.27, 42.3.x prior to 42.3.8, 42.4.x prior to 42.4.3 or 42.5.x prior to 42.5.1. It is, therefore, affected by an information disclosure vulnerability.
SQL queries using prepared statements that total more than 51 kilobytes will be written to the system temporary directory where they can be read by any local user of the system.

Risk Information
RISK FACTOR
Medium
CVSS BASE SCORE
4.6
CVSS TEMPORAL SCORE
3.4
CVSS VECTOR
AV:L/AC:L/Au:S/C:C/I:N/A:N
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
5.5
CVSS3 TEMPORAL SCORE
4.8
CVSS3 VECTOR
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I

Scan output -

Path : /var/lib/docker/overlay2/00ed3fe318648ee5e2b7f874ecc81624ba002ee805aef17437f8515ccc98de7a/diff/opt/connect/server-lib/database/postgresql-42.2.19.jar
Installed version : 42.2.19
Fixed version : 42.2.27

Path : /var/lib/docker/overlay2/29ece69f535e91d11e8e7abe1f783d8c937e7b1b6d29781f46ec8e72ddd3a453/merged/opt/connect/server-lib/database/postgresql-42.2.19.jar
Installed version : 42.2.19
Fixed version : 42.2.27

Path : /var/lib/docker/overlay2/583ec33151e4a95114610d97f210172f14a681659238934e76c11c3e1569753e/diff/opt/connect/server-lib/database/postgresql-42.2.19.jar
Installed version : 42.2.19
Fixed version : 42.2.27

CVE-2023-0401, CVE-2023-0286, CVE-2023-0217, CVE-2023-0216, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304, CVE-2022-4203, and CVE-2022-3996 OpenSSL High Finding

Scan Performed by Tenable.IO

Deployed in AWS GovCloud
Base OS RHEL 8.8

Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The version of OpenSSL installed on the remote host is prior to 3.0.8. It is, therefore, affected by a denial of service (DoS) vulnerability. If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the -policy argument to the command line utilities or by calling either X509_VERIFY_PARAM_add0_policy() or X509_VERIFY_PARAM_set1_policies() functions.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. (CVE-2023-0286)
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the

-policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466. (CVE-2022-3996)

A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash which could lead to a denial of service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. (CVE-2022-4203)
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption.
The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. (CVE-2022-4304)
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the name (e.g.
CERTIFICATE), any header data and the payload data. If the function succeeds then the name_out, header and data arguments are populated with pointers to buffers containing the relevant decoded data.
The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. (CVE-2022-4450)

Risk Information
RISK FACTOR
High
CVSS BASE SCORE
7.1
CVSS TEMPORAL SCORE
5.3
CVSS VECTOR
AV:N/AC:H/Au:N/C:C/I:N/A:C
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
7.4
CVSS3 TEMPORAL SCORE
6.4
CVSS3 VECTOR
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
12/12/2022 at 4:00 PM
EXPLOITABILITY
PATCH PUBLISHED
12/12/2022 at 4:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE
CVE-2023-0401, CVE-2023-0286, CVE-2023-0217, CVE-2023-0216, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304, CVE-2022-4203, CVE-2022-3996
IAVA
2022-A-0518-S

Wrapped java.lang.IllegalAccessException

Hello having the following

DETAILS: Wrapped java.lang.IllegalAccessException: class org.mozilla.javascript.MemberBox cannot access class sun.net.www.protocol.http.HttpURLConnection (in module java.base) because module java.base does not export sun.net.www.protocol.http to unnamed module @5990e6c5 at fba48cf7-a115-4a0c-975b-89020dc2aa7c_JavaScript_Filter_Transformer_0:213 (doTransform) at fba48cf7-a115-4a0c-975b-89020dc2aa7c_JavaScript_Filter_Transformer_0:1003 (doScript) at fba48cf7-a115-4a0c-975b-89020dc2aa7c_JavaScript_Filter_Transformer_0:1005 at com.mirth.connect.server.transformers.JavaScriptFilterTransformer$FilterTransformerTask.doCall(JavaScriptFilterTransformer.java:235) at com.mirth.connect.server.transformers.JavaScriptFilterTransformer$FilterTransformerTask.doCall(JavaScriptFilterTransformer.java:187) at com.mirth.connect.server.util.javascript.JavaScriptTask.call(JavaScriptTask.java:114) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833)

any ideas

Dockerhub latest doesn't include latest from this repo

I'm running the connect:latest image and running into the error:

Postgres is unavailable. Aborting.

After a fair amount of troubleshooting, the issue appears to be that my database username does not match the database name itself. The entrypoint.sh script does not include the database name in the connection test it runs, so it tries to connect to a non-existent database matching the username.

This was very hard to troubleshoot because looking at the source here, entrypoint.sh does include the database name.

It seems that the nextgenhealthcare/connect:latest image on dockerhub was not actually built with the 3.8.1 tag on this repository?

Build using dockerfile fails with error

I'm trying to build a new docker image using the dockerfile provided in this repo and the build fails with an error, I would be more than grateful for some pointers on how to resolved it. I am using Azure DevOps pipelines to build the image, and here is the output...

2022-11-13T13:18:35.7456978Z ##[section]Starting: Build 2022-11-13T13:18:35.7466798Z ============================================================================== 2022-11-13T13:18:35.7467160Z Task : Docker 2022-11-13T13:18:35.7467472Z Description : Build, tag, push, or run Docker images, or run a Docker command 2022-11-13T13:18:35.7467842Z Version : 0.209.0 2022-11-13T13:18:35.7468076Z Author : Microsoft Corporation 2022-11-13T13:18:35.7468517Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/build/docker 2022-11-13T13:18:35.7468951Z ============================================================================== 2022-11-13T13:18:35.9428612Z [command]/usr/bin/docker pull openjdk:11-jre 2022-11-13T13:18:47.7479924Z 11-jre: Pulling from library/openjdk 2022-11-13T13:18:47.7480373Z 001c52e26ad5: Pulling fs layer 2022-11-13T13:18:47.7480695Z d9d4b9b6e964: Pulling fs layer 2022-11-13T13:18:47.7480990Z 2068746827ec: Pulling fs layer 2022-11-13T13:18:47.7481297Z 8510da692cda: Pulling fs layer 2022-11-13T13:18:47.7481696Z b6d84395b34d: Pulling fs layer 2022-11-13T13:18:47.7482000Z bf03fea6c3ad: Pulling fs layer 2022-11-13T13:18:47.7482278Z 8510da692cda: Waiting 2022-11-13T13:18:47.7482557Z b6d84395b34d: Waiting 2022-11-13T13:18:47.7482820Z bf03fea6c3ad: Waiting 2022-11-13T13:18:47.7483118Z d9d4b9b6e964: Verifying Checksum 2022-11-13T13:18:47.7483422Z d9d4b9b6e964: Download complete 2022-11-13T13:18:47.7483736Z 2068746827ec: Verifying Checksum 2022-11-13T13:18:47.7484037Z 2068746827ec: Download complete 2022-11-13T13:18:47.7484353Z b6d84395b34d: Verifying Checksum 2022-11-13T13:18:47.7484669Z b6d84395b34d: Download complete 2022-11-13T13:18:47.7484970Z 8510da692cda: Verifying Checksum 2022-11-13T13:18:47.7485293Z 8510da692cda: Download complete 2022-11-13T13:18:47.7485593Z 001c52e26ad5: Verifying Checksum 2022-11-13T13:18:47.7485905Z 001c52e26ad5: Download complete 2022-11-13T13:18:47.7486205Z bf03fea6c3ad: Verifying Checksum 2022-11-13T13:18:47.7486518Z bf03fea6c3ad: Download complete 2022-11-13T13:18:47.7486825Z 001c52e26ad5: Pull complete 2022-11-13T13:18:47.7487621Z d9d4b9b6e964: Pull complete 2022-11-13T13:18:47.7487922Z 2068746827ec: Pull complete 2022-11-13T13:18:47.7488207Z 8510da692cda: Pull complete 2022-11-13T13:18:47.7488503Z b6d84395b34d: Pull complete 2022-11-13T13:18:47.7488785Z bf03fea6c3ad: Pull complete 2022-11-13T13:18:47.7489269Z Digest: sha256:356949c3125c4fa8104745e7ea92bd995da4567634e6599b470d2f972d13e0e2 2022-11-13T13:18:47.7498076Z Status: Downloaded newer image for openjdk:11-jre 2022-11-13T13:18:47.7498808Z docker.io/library/openjdk:11-jre 2022-11-13T13:18:47.7503252Z [command]/usr/bin/docker inspect openjdk:11-jre 2022-11-13T13:18:47.7902435Z [ 2022-11-13T13:18:47.7903172Z { 2022-11-13T13:18:47.7903893Z "Id": "sha256:362cda5d270e81aabfbbbaf8fe7ebcc7633f38b7952a9f6bc7ef68397662f0f9", 2022-11-13T13:18:47.7904475Z "RepoTags": [ 2022-11-13T13:18:47.7905233Z "openjdk:11-jre" 2022-11-13T13:18:47.7905693Z ], 2022-11-13T13:18:47.7906103Z "RepoDigests": [ 2022-11-13T13:18:47.7906726Z "openjdk@sha256:356949c3125c4fa8104745e7ea92bd995da4567634e6599b470d2f972d13e0e2" 2022-11-13T13:18:47.7907292Z ], 2022-11-13T13:18:47.7907714Z "Parent": "", 2022-11-13T13:18:47.7908150Z "Comment": "", 2022-11-13T13:18:47.7908726Z "Created": "2022-08-02T05:53:43.164587048Z", 2022-11-13T13:18:47.7909378Z "Container": "5a1edda18bf0fb152d4a1144648601ae7d8dc87e808ec7c6a860d4d6604f7d3b", 2022-11-13T13:18:47.7909981Z "ContainerConfig": { 2022-11-13T13:18:47.7911502Z "Hostname": "", 2022-11-13T13:18:47.7911958Z "Domainname": "", 2022-11-13T13:18:47.7912388Z "User": "", 2022-11-13T13:18:47.7912846Z "AttachStdin": false, 2022-11-13T13:18:47.7913314Z "AttachStdout": false, 2022-11-13T13:18:47.7913773Z "AttachStderr": false, 2022-11-13T13:18:47.7914229Z "Tty": false, 2022-11-13T13:18:47.7914666Z "OpenStdin": false, 2022-11-13T13:18:47.7915665Z "StdinOnce": false, 2022-11-13T13:18:47.7916112Z "Env": [ 2022-11-13T13:18:47.7916821Z "PATH=/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 2022-11-13T13:18:47.7917541Z "JAVA_HOME=/usr/local/openjdk-11", 2022-11-13T13:18:47.7918139Z "LANG=C.UTF-8", 2022-11-13T13:18:47.7918604Z "JAVA_VERSION=11.0.16" 2022-11-13T13:18:47.7919062Z ], 2022-11-13T13:18:47.7919461Z "Cmd": [ 2022-11-13T13:18:47.7919888Z "/bin/sh", 2022-11-13T13:18:47.7920358Z "-c", 2022-11-13T13:18:47.7925974Z "set -eux; \t\tarch=\"$(dpkg --print-architecture)\"; \tcase \"$arch\" in \t\t'amd64') \t\t\tdownloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.16%2B8/OpenJDK11U-jre_x64_linux_11.0.16_8.tar.gz'; \t\t\t;; \t\t'arm64') \t\t\tdownloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.16%2B8/OpenJDK11U-jre_aarch64_linux_11.0.16_8.tar.gz'; \t\t\t;; \t\t*) echo >&2 \"error: unsupported architecture: '$arch'\"; exit 1 ;; \tesac; \t\twget --progress=dot:giga -O openjdk.tgz \"$downloadUrl\"; \twget --progress=dot:giga -O openjdk.tgz.asc \"$downloadUrl.sign\"; \t\texport GNUPGHOME=\"$(mktemp -d)\"; \tgpg --batch --keyserver keyserver.ubuntu.com --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \tgpg --batch --keyserver keyserver.ubuntu.com --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \tgpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \t\t| tee /dev/stderr \t\t| grep '0xA5CD6035332FA671' \t\t| grep 'Andrew Haley'; \tgpg --batch --verify openjdk.tgz.asc openjdk.tgz; \tgpgconf --kill all; \trm -rf \"$GNUPGHOME\"; \t\tmkdir -p \"$JAVA_HOME\"; \ttar --extract \t\t--file openjdk.tgz \t\t--directory \"$JAVA_HOME\" \t\t--strip-components 1 \t\t--no-same-owner \t; \trm openjdk.tgz*; \t\t{ \t\techo '#!/usr/bin/env bash'; \t\techo 'set -Eeuo pipefail'; \t\techo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth \"$JAVA_HOME/lib/security/cacerts\"'; \t} > /etc/ca-certificates/update.d/docker-openjdk; \tchmod +x /etc/ca-certificates/update.d/docker-openjdk; \t/etc/ca-certificates/update.d/docker-openjdk; \t\tfind \"$JAVA_HOME/lib\" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \tldconfig; \t\tjava -Xshare:dump; \t\tjava --version" 2022-11-13T13:18:47.7960023Z ], 2022-11-13T13:18:47.7960438Z "Image": "sha256:936a12cd69e4cacd92a98b99107eb88568b0a1295c50f5c6e4d79f218f82f6ab", 2022-11-13T13:18:47.7960845Z "Volumes": null, 2022-11-13T13:18:47.7961113Z "WorkingDir": "", 2022-11-13T13:18:47.7961381Z "Entrypoint": null, 2022-11-13T13:18:47.7961636Z "OnBuild": null, 2022-11-13T13:18:47.7961894Z "Labels": null 2022-11-13T13:18:47.7962118Z }, 2022-11-13T13:18:47.7962374Z "DockerVersion": "20.10.12", 2022-11-13T13:18:47.7962636Z "Author": "", 2022-11-13T13:18:47.7962874Z "Config": { 2022-11-13T13:18:47.7963106Z "Hostname": "", 2022-11-13T13:18:47.7963361Z "Domainname": "", 2022-11-13T13:18:47.7963611Z "User": "", 2022-11-13T13:18:47.7963854Z "AttachStdin": false, 2022-11-13T13:18:47.7964141Z "AttachStdout": false, 2022-11-13T13:18:47.7964412Z "AttachStderr": false, 2022-11-13T13:18:47.7964679Z "Tty": false, 2022-11-13T13:18:47.7964924Z "OpenStdin": false, 2022-11-13T13:18:47.7965196Z "StdinOnce": false, 2022-11-13T13:18:47.7965450Z "Env": [ 2022-11-13T13:18:47.7965996Z "PATH=/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 2022-11-13T13:18:47.7966498Z "JAVA_HOME=/usr/local/openjdk-11", 2022-11-13T13:18:47.7967010Z "LANG=C.UTF-8", 2022-11-13T13:18:47.7967488Z "JAVA_VERSION=11.0.16" 2022-11-13T13:18:47.7967733Z ], 2022-11-13T13:18:47.7967954Z "Cmd": [ 2022-11-13T13:18:47.7968184Z "bash" 2022-11-13T13:18:47.7968392Z ], 2022-11-13T13:18:47.7968770Z "Image": "sha256:936a12cd69e4cacd92a98b99107eb88568b0a1295c50f5c6e4d79f218f82f6ab", 2022-11-13T13:18:47.7969160Z "Volumes": null, 2022-11-13T13:18:47.7969421Z "WorkingDir": "", 2022-11-13T13:18:47.7969673Z "Entrypoint": null, 2022-11-13T13:18:47.7969939Z "OnBuild": null, 2022-11-13T13:18:47.7970199Z "Labels": null 2022-11-13T13:18:47.7970500Z }, 2022-11-13T13:18:47.7970748Z "Architecture": "amd64", 2022-11-13T13:18:47.7971001Z "Os": "linux", 2022-11-13T13:18:47.7971257Z "Size": 302364726, 2022-11-13T13:18:47.7971525Z "VirtualSize": 302364726, 2022-11-13T13:18:47.7971803Z "GraphDriver": { 2022-11-13T13:18:47.7972039Z "Data": { 2022-11-13T13:18:47.7973182Z "LowerDir": "/var/lib/docker/overlay2/13602bb95b7ba3d255862356edfc11b439457e7de80f53c0152eec4c497363d1/diff:/var/lib/docker/overlay2/282b817aee808ff68393761476a9c5570e75758b28eb09a824793ade02b29e3e/diff:/var/lib/docker/overlay2/1d820239462a9eedfe2136839769a28297277bccc6601e5820816122b8a92cab/diff:/var/lib/docker/overlay2/c6e456b1205ae58c01f55902710835e93fd04651c9aeabfd976f60b47ce471cb/diff:/var/lib/docker/overlay2/d1f90259460f4c74cadda409ff0a3244f8e4eafa7379101e4a1f2a45f8065869/diff", 2022-11-13T13:18:47.7974524Z "MergedDir": "/var/lib/docker/overlay2/a8c8d11c9a8f0fcaffd8c1878cdeb9d9b037187f7cfbcd0abf6acac9c30afa2a/merged", 2022-11-13T13:18:47.7975157Z "UpperDir": "/var/lib/docker/overlay2/a8c8d11c9a8f0fcaffd8c1878cdeb9d9b037187f7cfbcd0abf6acac9c30afa2a/diff", 2022-11-13T13:18:47.7975757Z "WorkDir": "/var/lib/docker/overlay2/a8c8d11c9a8f0fcaffd8c1878cdeb9d9b037187f7cfbcd0abf6acac9c30afa2a/work" 2022-11-13T13:18:47.7976173Z }, 2022-11-13T13:18:47.7976410Z "Name": "overlay2" 2022-11-13T13:18:47.7976636Z }, 2022-11-13T13:18:47.7976860Z "RootFS": { 2022-11-13T13:18:47.7977094Z "Type": "layers", 2022-11-13T13:18:47.7977344Z "Layers": [ 2022-11-13T13:18:47.7977717Z "sha256:9c742cd6c7a5752ee36be8ecb14be45c0885e10e6dd34f26a9ae3eb096c5d492", 2022-11-13T13:18:47.7978249Z "sha256:03127cdb479b0f1eb8a9b0df8e8d72ead24979728d3c84ff645611b9d8790f94", 2022-11-13T13:18:47.7978781Z "sha256:293d5db30c9fcf33b65fa033e427fdd118464f9ea0c2a343a478a6e89c29140e", 2022-11-13T13:18:47.7979301Z "sha256:5c384ea5f75201f4bd074559d2abedc93f5effbed2007ae4801a0366dd0313f6", 2022-11-13T13:18:47.7979829Z "sha256:3dccaa93bb0ea3e36e3c9e44d15c7ede938045d79a85066573692ab2b663a939", 2022-11-13T13:18:47.7980342Z "sha256:5a7e7a88063484cc4c99cce9535cacfa1aff5b515d5cf5e7876184fdf70a33c0" 2022-11-13T13:18:47.7980712Z ] 2022-11-13T13:18:47.7980921Z }, 2022-11-13T13:18:47.7981135Z "Metadata": { 2022-11-13T13:18:47.7981531Z "LastTagTime": "0001-01-01T00:00:00Z" 2022-11-13T13:18:47.7981808Z } 2022-11-13T13:18:47.7982011Z } 2022-11-13T13:18:47.7982199Z ] 2022-11-13T13:18:47.7994974Z [command]/usr/bin/docker build -f /home/vsts/work/r1/a/zzz-CI-MICROSERVICE-NextGenConnectMirth/MICROSERVICE-NextGenConnectMirth/Dockerfile -t myACR.azurecr.io/mirth-connect:v5716 --label com.azure.dev.image.system.teamfoundationcollectionuri=https://dev.azure.com/zzz/ --label com.azure.dev.image.release.releaseid=657 --label image.base.ref.name=openjdk:11-jre --label image.base.digest=sha256:356949c3125c4fa8104745e7ea92bd995da4567634e6599b470d2f972d13e0e2 /home/vsts/work/r1/a/_zzz-CI-MICROSERVICE-NextGenConnectMirth/MICROSERVICE-NextGenConnectMirth 2022-11-13T13:18:47.8235083Z Sending build context to Docker daemon 263.2kB 2022-11-13T13:18:47.8236034Z 2022-11-13T13:18:47.8626838Z Step 1/27 : FROM openjdk:11-jre 2022-11-13T13:18:47.8628204Z ---> 362cda5d270e 2022-11-13T13:18:47.8629041Z Step 2/27 : RUN apt-get clean && apt-get update && apt-get install -y --no-install-recommends locales && sed -i 's/^# *$en_US.UTF-8$/\1/' /etc/locale.gen && locale-gen 2022-11-13T13:18:47.8835697Z ---> Running in 699b2644b583 2022-11-13T13:18:48.6295038Z Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB] 2022-11-13T13:18:48.6406500Z Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB] 2022-11-13T13:18:48.6409079Z Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB] 2022-11-13T13:18:48.7414158Z Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8184 kB] 2022-11-13T13:18:48.8301919Z Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [194 kB] 2022-11-13T13:18:48.9266297Z Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB] 2022-11-13T13:18:49.8744319Z Fetched 8601 kB in 1s (6758 kB/s) 2022-11-13T13:18:50.3971180Z Reading package lists... 2022-11-13T13:18:50.9350905Z Reading package lists... 2022-11-13T13:18:51.0802967Z Building dependency tree... 2022-11-13T13:18:51.0803437Z Reading state information... 2022-11-13T13:18:51.2057240Z The following additional packages will be installed: 2022-11-13T13:18:51.2058018Z libc-l10n 2022-11-13T13:18:51.2237574Z The following NEW packages will be installed: 2022-11-13T13:18:51.2242491Z libc-l10n locales 2022-11-13T13:18:51.2644029Z 0 upgraded, 2 newly installed, 0 to remove and 21 not upgraded. 2022-11-13T13:18:51.2644539Z Need to get 4950 kB of archives. 2022-11-13T13:18:51.2644950Z After this operation, 20.9 MB of additional disk space will be used. 2022-11-13T13:18:51.2645826Z Get:1 http://deb.debian.org/debian bullseye-updates/main amd64 libc-l10n all 2.31-13+deb11u5 [865 kB] 2022-11-13T13:18:51.2749806Z Get:2 http://deb.debian.org/debian bullseye-updates/main amd64 locales all 2.31-13+deb11u5 [4086 kB] 2022-11-13T13:18:51.4080612Z �[91mdebconf: delaying package configuration, since apt-utils is not installed 2022-11-13T13:18:51.4372700Z �[0mFetched 4950 kB in 0s (74.4 MB/s) 2022-11-13T13:18:51.4500095Z Selecting previously unselected package libc-l10n. 2022-11-13T13:18:51.4522243Z (Reading database ... 2022-11-13T13:18:51.4522606Z (Reading database ... 5% 2022-11-13T13:18:51.4522900Z (Reading database ... 10% 2022-11-13T13:18:51.4523175Z (Reading database ... 15% 2022-11-13T13:18:51.4523465Z (Reading database ... 20% 2022-11-13T13:18:51.4523752Z (Reading database ... 25% 2022-11-13T13:18:51.4524025Z (Reading database ... 30% 2022-11-13T13:18:51.4524350Z (Reading database ... 35% 2022-11-13T13:18:51.4524619Z (Reading database ... 40% 2022-11-13T13:18:51.4524904Z (Reading database ... 45% 2022-11-13T13:18:51.4525174Z (Reading database ... 50% 2022-11-13T13:18:51.4525456Z (Reading database ... 55% 2022-11-13T13:18:51.4525740Z (Reading database ... 60% 2022-11-13T13:18:51.4532220Z (Reading database ... 65% 2022-11-13T13:18:51.4539251Z (Reading database ... 70% 2022-11-13T13:18:51.4549025Z (Reading database ... 75% 2022-11-13T13:18:51.4555306Z (Reading database ... 80% 2022-11-13T13:18:51.4566695Z (Reading database ... 85% 2022-11-13T13:18:51.4572142Z (Reading database ... 90% 2022-11-13T13:18:51.4580193Z (Reading database ... 95% 2022-11-13T13:18:51.4580519Z (Reading database ... 100% 2022-11-13T13:18:51.4580897Z (Reading database ... 7890 files and directories currently installed.) 2022-11-13T13:18:51.4588572Z Preparing to unpack .../libc-l10n_2.31-13+deb11u5_all.deb ... 2022-11-13T13:18:51.4603300Z Unpacking libc-l10n (2.31-13+deb11u5) ... 2022-11-13T13:18:51.5507505Z Selecting previously unselected package locales. 2022-11-13T13:18:51.5522422Z Preparing to unpack .../locales_2.31-13+deb11u5_all.deb ... 2022-11-13T13:18:51.5536044Z Unpacking locales (2.31-13+deb11u5) ... 2022-11-13T13:18:51.9554168Z Setting up libc-l10n (2.31-13+deb11u5) ... 2022-11-13T13:18:51.9581326Z Setting up locales (2.31-13+deb11u5) ... 2022-11-13T13:18:52.0313834Z debconf: unable to initialize frontend: Dialog 2022-11-13T13:18:52.0314374Z debconf: (TERM is not set, so the dialog frontend is not usable.) 2022-11-13T13:18:52.0314843Z debconf: falling back to frontend: Readline 2022-11-13T13:18:52.0321252Z debconf: unable to initialize frontend: Readline 2022-11-13T13:18:52.0323186Z debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.32.1 /usr/local/share/perl/5.32.1 /usr/lib/x86_64-linux-gnu/perl5/5.32 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.32 /usr/share/perl/5.32 /usr/local/lib/site_perl) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.) 2022-11-13T13:18:52.0324739Z debconf: falling back to frontend: Teletype 2022-11-13T13:18:52.4335491Z Generating locales (this might take a while)... 2022-11-13T13:18:52.4422672Z Generation complete. 2022-11-13T13:18:52.4870050Z Generating locales (this might take a while)... 2022-11-13T13:18:54.2773795Z en_US.UTF-8... done 2022-11-13T13:18:54.2784326Z Generation complete. 2022-11-13T13:18:55.3148049Z Removing intermediate container 699b2644b583 2022-11-13T13:18:55.3149267Z ---> ebfa0406d0bb 2022-11-13T13:18:55.3149758Z Step 3/27 : ARG ARTIFACT 2022-11-13T13:18:55.3438985Z ---> Running in f1a557a4d292 2022-11-13T13:18:56.0283862Z Removing intermediate container f1a557a4d292 2022-11-13T13:18:56.0284616Z ---> 0819d72744b7 2022-11-13T13:18:56.0284956Z Step 4/27 : ENV LANG en_US.UTF-8 2022-11-13T13:18:56.0419776Z ---> Running in 5b3dc0c57432 2022-11-13T13:18:57.0296623Z Removing intermediate container 5b3dc0c57432 2022-11-13T13:18:57.0297331Z ---> 6920b6753dfe 2022-11-13T13:18:57.0297690Z Step 5/27 : ENV LANGUAGE en_US:en 2022-11-13T13:18:57.0486741Z ---> Running in 851c1cd0ef64 2022-11-13T13:18:58.0335553Z Removing intermediate container 851c1cd0ef64 2022-11-13T13:18:58.0354339Z ---> a32e260f663c 2022-11-13T13:18:58.0354922Z Step 6/27 : ENV LC_ALL en_US.UTF-8 2022-11-13T13:18:58.0487009Z ---> Running in b45dc486f7f9 2022-11-13T13:18:59.0342444Z Removing intermediate container b45dc486f7f9 2022-11-13T13:18:59.0343171Z ---> af0f08b461c8 2022-11-13T13:18:59.0343661Z Step 7/27 : RUN curl -SL $ARTIFACT | tar -xzC /opt && mv "/opt/Mirth Connect" /opt/connect 2022-11-13T13:18:59.0652668Z ---> Running in c5c0ed9876d5 2022-11-13T13:18:59.2832278Z �[91mcurl: �[0m�[91mno�[0m�[91m URL�[0m�[91m �[0m�[91ms�[0m�[91mpecified! 2022-11-13T13:18:59.2837917Z curl:�[0m�[91m try 'curl --help' or 'curl --manual' for more information 2022-11-13T13:18:59.2857664Z �[0m�[91m 2022-11-13T13:18:59.2857970Z gzip: stdin: unexpected end of file 2022-11-13T13:18:59.2865247Z �[0m�[91mtar: Child returned status 1 2022-11-13T13:18:59.2865615Z tar: Error is not recoverable: exiting now 2022-11-13T13:18:59.4333913Z �[0mThe command '/bin/sh -c curl -SL $ARTIFACT | tar -xzC /opt && mv "/opt/Mirth Connect" /opt/connect' returned a non-zero code: 2 2022-11-13T13:18:59.4389879Z ##[error]The command '/bin/sh -c curl -SL $ARTIFACT | tar -xzC /opt && mv "/opt/Mirth Connect" /opt/connect' returned a non-zero code: 2 2022-11-13T13:18:59.4407127Z ##[error]The process '/usr/bin/docker' failed with exit code 2 2022-11-13T13:18:59.4481149Z ##[section]Finishing: Build

Creation of image using default Debian docker file fails with error "Unable to locate package mysql-community-client"

I am trying to install the docker image from scratch using the 3.11.0 Dockerfile in this repository .
I need to customize the dockerfile for some of my application specific needs.
But when I try to create an image using the Dockefile provided with the other required files ( e.g. Entrypoint.sh and mysql-apt-config_0.8.15-1_all) it first failed with the issue of "7 15.79 W: GPG error: http://repo.mysql.com/apt/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29" . I fixed that issue as can be seen in the attached modified docker file by adding that key to the ubuntu secrets .
But then it keeps failing with the error "Unable to locate package mysql-community-client" on trying to install the same .
I need this because we are using MySQL 8.0 with new authentication mechanism that is not supported in the alpine images.

Is there any replacement installation for mysql-community-client that is part of apt repository ?
I am stuck currently because of this . So any help is appreciated !

Thanks
Dockerfile - Copy.txt

Security Vulnerabilities: Total: 208 (UNKNOWN: 2, LOW: 113, MEDIUM: 50, HIGH: 20, CRITICAL: 23)

Scan was completed with https://github.com/aquasecurity/trivy

Scanned

nextgenhealthcare/connect:latest-jdk
nextgenhealthcare/connect:latest-zulu-alpine
nextgenhealthcare/connect:latest

All returned the same result on the Java scan and various for the OS.

Java (jar)

Total: 89 (UNKNOWN: 1, LOW: 4, MEDIUM: 38, HIGH: 42, CRITICAL: 4)

+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
|                         LIBRARY                          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                           TITLE                           |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| com.fasterxml.jackson.dataformat:jackson-dataformat-cbor | CVE-2020-28491   | HIGH     | 2.11.3            | 2.11.4, 2.12.1                 | jackson-dataformat-cbor:  Unchecked                       |
|                                                          |                  |          |                   |                                | allocation of byte buffer can                             |
|                                                          |                  |          |                   |                                | cause a java.lang.OutOfMemoryError                        |
|                                                          |                  |          |                   |                                | exception...                                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-28491                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| com.google.guava:guava                                   | CVE-2020-8908    | LOW      | 28.2-jre          |                           30.0 | guava: local information                                  |
|                                                          |                  |          |                   |                                | disclosure via temporary directory                        |
|                                                          |                  |          |                   |                                | created with unsafe permissions                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8908                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| com.thoughtworks.xstream:xstream                         | CVE-2020-26217   | HIGH     | 1.4.12            | 1.4.14                         | XStream: remote code                                      |
|                                                          |                  |          |                   |                                | execution due to insecure XML                             |
|                                                          |                  |          |                   |                                | deserialization when relying on...                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26217                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-26258   |          |                   | 1.4.15                         | XStream: Server-Side Forgery                              |
|                                                          |                  |          |                   |                                | Request vulnerability can be                              |
|                                                          |                  |          |                   |                                | activated when unmarshalling                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26258                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-21341   |          |                   | 1.4.16                         | XStream: allow a remote attacker to                       |
|                                                          |                  |          |                   |                                | cause DoS only by manipulating the...                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21341                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-29505   |          |                   | 1.4.17                         | XStream: remote command                                   |
|                                                          |                  |          |                   |                                | execution attack by manipulating                          |
|                                                          |                  |          |                   |                                | the processed input stream                                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-29505                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-39139   |          |                   | 1.4.18                         | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | Xalan xsltc.trax.TemplatesImpl                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39139                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39141   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.xml.internal.ws.client.sei.*                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39141                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39144   |          |                   |                                | xstream: Arbitrary code                                   |
|                                                          |                  |          |                   |                                | execution via unsafe                                      |
|                                                          |                  |          |                   |                                | deserialization of sun.tracing.*                          |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39144                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39145   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.ldap.LdapBindingEnumeration                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39145                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39146   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | javax.swing.UIDefaults$ProxyLazyValue                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39146                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39147   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.ldap.LdapSearchEnumeration                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39147                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39148   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.toolkit.dir.ContextEnumerator                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39148                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39149   |          |                   |                                | xstream: Arbitrary code                                   |
|                                                          |                  |          |                   |                                | execution via unsafe                                      |
|                                                          |                  |          |                   |                                | deserialization of com.sun.corba.*                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39149                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39150   |          |                   |                                | xstream: Server-side request forgery                      |
|                                                          |                  |          |                   |                                | (SSRF) via unsafe deserialization of                      |
|                                                          |                  |          |                   |                                | com.sun.xml.internal.ws.client.sei.*                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39150                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39151   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.ldap.LdapBindingEnumeration                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39151                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39152   |          |                   |                                | xstream: Server-side request forgery                      |
|                                                          |                  |          |                   |                                | (SSRF) via unsafe deserialization of                      |
|                                                          |                  |          |                   |                                | jdk.nashorn.internal.runtime.Source$URLData               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39152                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39153   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | Xalan xsltc.trax.TemplatesImpl                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39153                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39154   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | javax.swing.UIDefaults$ProxyLazyValue                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39154                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-26259   | MEDIUM   |                   | 1.4.15                         | XStream: arbitrary file deletion on                       |
|                                                          |                  |          |                   |                                | the local host when unmarshalling                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26259                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-21342   |          |                   | 1.4.16                         | XStream: SSRF via                                         |
|                                                          |                  |          |                   |                                | crafted input stream                                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21342                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21343   |          |                   |                                | XStream: arbitrary file                                   |
|                                                          |                  |          |                   |                                | deletion on the local host                                |
|                                                          |                  |          |                   |                                | via crafted input stream...                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21343                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21344   |          |                   |                                | XStream: Unsafe deserizaliation                           |
|                                                          |                  |          |                   |                                | of javax.sql.rowset.BaseRowSet                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21344                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21345   |          |                   |                                | XStream: Unsafe deserizaliation of                        |
|                                                          |                  |          |                   |                                | com.sun.corba.se.impl.activation.ServerTableEntry         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21345                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21346   |          |                   |                                | XStream: Unsafe deserizaliation                           |
|                                                          |                  |          |                   |                                | of sun.swing.SwingLazyValue                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21346                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21347   |          |                   |                                | XStream: Unsafe deserizaliation of                        |
|                                                          |                  |          |                   |                                | com.sun.tools.javac.processing.JavacProcessingEnvironment |
|                                                          |                  |          |                   |                                | NameProcessIterator -->avd.aquasec.com/nvd/cve-2021-21347 |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21348   |          |                   |                                | XStream: ReDoS vulnerability                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21348                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21349   |          |                   |                                | XStream: SSRF can be activated                            |
|                                                          |                  |          |                   |                                | unmarshalling with XStream                                |
|                                                          |                  |          |                   |                                | to access data streams...                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21349                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21350   |          |                   |                                | XStream: Unsafe deserizaliation of                        |
|                                                          |                  |          |                   |                                | com.sun.org.apache.bcel.internal.util.ClassLoader         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21350                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21351   |          |                   |                                | XStream: allow a remote                                   |
|                                                          |                  |          |                   |                                | attacker to load and execute                              |
|                                                          |                  |          |                   |                                | arbitrary code from...                                    |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21351                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-39140   |          |                   | 1.4.18                         | xstream: Infinite loop DoS                                |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | sun.reflect.annotation.AnnotationInvocationHandler        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39140                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| commons-beanutils:commons-beanutils                      | CVE-2019-10086   | HIGH     | 1.9.3             | 1.9.4                          | apache-commons-beanutils: does                            |
|                                                          |                  |          |                   |                                | not suppresses the class property                         |
|                                                          |                  |          |                   |                                | in PropertyUtilsBean by default                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-10086                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| commons-fileupload:commons-fileupload                    | CVE-2016-1000031 | CRITICAL | 1.2.1             | 1.3.3                          | Apache Commons FileUpload:                                |
|                                                          |                  |          |                   |                                | DiskFileItem file manipulation                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-1000031                   |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2013-2186    | HIGH     |                   | 1.3.1                          | Apache commons-fileupload: Arbitrary                      |
|                                                          |                  |          |                   |                                | file upload via deserialization                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2013-2186                      |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2014-0050    |          |                   |                                | apache-commons-fileupload: denial                         |
|                                                          |                  |          |                   |                                | of service due to too-small buffer                        |
|                                                          |                  |          |                   |                                | size used by MultipartStream...                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2014-0050                      |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2016-3092    |          |                   | 1.3.2                          | tomcat: Usage of vulnerable                               |
|                                                          |                  |          |                   |                                | FileUpload package can result                             |
|                                                          |                  |          |                   |                                | in denial of service...                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-3092                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2013-0248    | LOW      |                   |                            1.3 | jakarta-commons-fileupload,                               |
|                                                          |                  |          |                   |                                | apache-commons-fileupload: /tmp                           |
|                                                          |                  |          |                   |                                | directory used by default for                             |
|                                                          |                  |          |                   |                                | uploaded files (possibility to...                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2013-0248                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| commons-httpclient:commons-httpclient                    | CVE-2012-5783    | MEDIUM   | 3.0.1             |                                | jakarta-commons-httpclient:                               |
|                                                          |                  |          |                   |                                | missing connection hostname check                         |
|                                                          |                  |          |                   |                                | against X.509 certificate name                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2012-5783                      |
+----------------------------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------------------------+
| commons-io:commons-io                                    | CVE-2021-29425   |          |               2.6 |                            2.7 | apache-commons-io: Limited                                |
|                                                          |                  |          |                   |                                | path traversal in Apache                                  |
|                                                          |                  |          |                   |                                | Commons IO 2.2 to 2.6                                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-29425                     |
+----------------------------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------------------------+
| io.netty:netty-codec                                     | CVE-2021-37136   |          | 4.1.53.Final      | 4.1.68.Final                   | netty-codec: Bzip2Decoder                                 |
|                                                          |                  |          |                   |                                | doesn't allow setting size                                |
|                                                          |                  |          |                   |                                | restrictions for decompressed data                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-37136                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-37137   |          |                   |                                | netty-codec: SnappyFrameDecoder                           |
|                                                          |                  |          |                   |                                | doesn't restrict chunk length and                         |
|                                                          |                  |          |                   |                                | may buffer skippable chunks in...                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-37137                     |
+----------------------------------------------------------+------------------+          +                   +--------------------------------+-----------------------------------------------------------+
| io.netty:netty-codec-http                                | CVE-2021-21290   |          |                   | 4.1.59.Final                   | netty: Information disclosure via                         |
|                                                          |                  |          |                   |                                | the local system temporary directory                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21290                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-43797   |          |                   | 4.1.71.Final                   | netty: control chars in header names                      |
|                                                          |                  |          |                   |                                | may lead to HTTP request smuggling...                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-43797                     |
+----------------------------------------------------------+------------------+          +                   +--------------------------------+-----------------------------------------------------------+
| io.netty:netty-codec-http2                               | CVE-2021-21295   |          |                   | 4.1.60.Final                   | netty: possible request smuggling                         |
|                                                          |                  |          |                   |                                | in HTTP/2 due missing validation                          |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21295                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-21409   |          |                   | 4.1.61.Final                   | netty: Request smuggling                                  |
|                                                          |                  |          |                   |                                | via content-length header                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21409                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| log4j:log4j                                              | CVE-2019-17571   | CRITICAL | 1.2.16            | 2.0-alpha1                     | log4j: deserialization of                                 |
|                                                          |                  |          |                   |                                | untrusted data in SocketServer                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-17571                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23307   |          |                   |                                | log4j: Unsafe deserialization                             |
|                                                          |                  |          |                   |                                | flaw in Chainsaw log viewer                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23307                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-4104    | HIGH     |                   |                                | log4j: Remote code execution                              |
|                                                          |                  |          |                   |                                | in Log4j 1.x when application                             |
|                                                          |                  |          |                   |                                | is configured to...                                       |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-4104                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23302   | MEDIUM   |                   |                                | log4j: Remote code execution                              |
|                                                          |                  |          |                   |                                | in Log4j 1.x when application                             |
|                                                          |                  |          |                   |                                | is configured to...                                       |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23302                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23305   |          |                   |                                | log4j: SQL injection in                                   |
|                                                          |                  |          |                   |                                | Log4j 1.x when application                                |
|                                                          |                  |          |                   |                                | is configured to use...                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23305                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-9488    | LOW      |                   | 2.13.2                         | log4j: improper validation                                |
|                                                          |                  |          |                   |                                | of certificate with host                                  |
|                                                          |                  |          |                   |                                | mismatch in SMTP appender                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9488                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | GMS-2021-5       | UNKNOWN  |                   | 2.15.0-rc1                     | Improper Neutralization                                   |
|                                                          |                  |          |                   |                                | of Special Elements in                                    |
|                                                          |                  |          |                   |                                | Output Used by a Downstream                               |
|                                                          |                  |          |                   |                                | Component...                                              |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| mysql:mysql-connector-java                               | CVE-2020-2934    | MEDIUM   | 8.0.16            | 5.1.49, 8.0.20                 | mysql-connector-java: allows                              |
|                                                          |                  |          |                   |                                | unauthenticated attacker with                             |
|                                                          |                  |          |                   |                                | network access via multiple                               |
|                                                          |                  |          |                   |                                | protocols to compromise...                                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-2934                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.commons:commons-compress                      | CVE-2019-12402   | HIGH     |              1.17 |                           1.19 | apache-commons-compress: Infinite                         |
|                                                          |                  |          |                   |                                | loop in name encoding algorithm                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-12402                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-35515   |          |                   |                           1.21 | apache-commons-compress:                                  |
|                                                          |                  |          |                   |                                | infinite loop when reading a                              |
|                                                          |                  |          |                   |                                | specially crafted 7Z archive                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35515                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-35516   |          |                   |                                | apache-commons-compress: excessive                        |
|                                                          |                  |          |                   |                                | memory allocation when reading                            |
|                                                          |                  |          |                   |                                | a specially crafted 7Z archive                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35516                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-35517   |          |                   |                                | apache-commons-compress: excessive                        |
|                                                          |                  |          |                   |                                | memory allocation when reading                            |
|                                                          |                  |          |                   |                                | a specially crafted TAR archive                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35517                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-36090   |          |                   |                                | apache-commons-compress: excessive                        |
|                                                          |                  |          |                   |                                | memory allocation when reading                            |
|                                                          |                  |          |                   |                                | a specially crafted ZIP archive                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-36090                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2018-11771   | MEDIUM   |                   |                           1.18 | apache-commons-compress:                                  |
|                                                          |                  |          |                   |                                | ZipArchiveInputStream.read()                              |
|                                                          |                  |          |                   |                                | fails to identify correct EOF                             |
|                                                          |                  |          |                   |                                | allowing for DoS via crafted...                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-11771                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.commons:commons-email                         | CVE-2017-9801    | HIGH     | 1.3.1             |                            1.5 | SMTP header injection vulnerabilty                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-9801                      |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2018-1294    |          |                   |                                | Improper Input Validation                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1294                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.derby:derby                                   | CVE-2015-1832    | CRITICAL | 10.10.2.0         | 10.12.1.1                      | Apache Derby: XXE attack possible by                      |
|                                                          |                  |          |                   |                                | using XmlVTI and the XML datatype...                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2015-1832                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2018-1313    | MEDIUM   |                   | 10.14.2.0                      | derby: Externally-controlled                              |
|                                                          |                  |          |                   |                                | input vulnerability allows remote                         |
|                                                          |                  |          |                   |                                | attacker to boot a database under...                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1313                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.velocity:velocity-engine-core                 | CVE-2020-13936   | HIGH     |               2.2 |                            2.3 | velocity: arbitrary code                                  |
|                                                          |                  |          |                   |                                | execution when attacker is                                |
|                                                          |                  |          |                   |                                | able to modify templates                                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-13936                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.bouncycastle:bcprov-ext-jdk15on                      | CVE-2020-15522   | MEDIUM   |              1.57 |                           1.66 | bouncycastle: Timing issue                                |
|                                                          |                  |          |                   |                                | within the EC math library                                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-15522                     |
+----------------------------------------------------------+                  +          +                   +                                +                                                           +
| org.bouncycastle:bcprov-jdk15on                          |                  |          |                   |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
+----------------------------------------------------------+                  +          +-------------------+                                +                                                           +
| org.bouncycastle:bcprov-jdk16                            |                  |          |              1.44 |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-26939   |          |                   |                           1.61 | Observable Differences in Behavior                        |
|                                                          |                  |          |                   |                                | to Error Inputs in Bouncy Castle                          |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26939                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-http                             | CVE-2020-27216   | HIGH     | 9.4.21.v20190926  | 9.3.29.v20201019,              | jetty: local temporary directory                          |
|                                                          |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-28165   |          |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2019-17632   | MEDIUM   |                   | 9.4.24.v20191120               | jetty: generation of default                              |
|                                                          |                  |          |                   |                                | unhandled error response content                          |
|                                                          |                  |          |                   |                                | does not escape exception...                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-17632                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27223   |          |                   | 9.4.36.v20210114, 11.0.1       | jetty: request containing                                 |
|                                                          |                  |          |                   |                                | multiple Accept headers with                              |
|                                                          |                  |          |                   |                                | a large number of "quality"...                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27223                     |
+----------------------------------------------------------+------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-io                               | CVE-2021-28165   | HIGH     |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+----------------------------------------------------------+------------------+          +                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-server                           | CVE-2020-27216   |          |                   | 9.3.29.v20201019,              | jetty: local temporary directory                          |
|                                                          |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-28165   |          |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2019-17632   | MEDIUM   |                   | 9.4.24.v20191120               | jetty: generation of default                              |
|                                                          |                  |          |                   |                                | unhandled error response content                          |
|                                                          |                  |          |                   |                                | does not escape exception...                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-17632                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27218   |          |                   | 9.4.35.v20201120, 11.0.1       | jetty: buffer not correctly                               |
|                                                          |                  |          |                   |                                | recycled in Gzip Request inflation                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27218                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27223   |          |                   | 9.4.36.v20210114, 11.0.1       | jetty: request containing                                 |
|                                                          |                  |          |                   |                                | multiple Accept headers with                              |
|                                                          |                  |          |                   |                                | a large number of "quality"...                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27223                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-34428   | LOW      |                   | 9.4.40.v20210413, 10.0.3,      | jetty: SessionListener can                                |
|                                                          |                  |          |                   | 11.0.3                         | prevent a session from being                              |
|                                                          |                  |          |                   |                                | invalidated breaking logout                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-34428                     |
+----------------------------------------------------------+------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-util                             | CVE-2020-27216   | HIGH     |                   | 9.3.29.v20201019,              | jetty: local temporary directory                          |
|                                                          |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-28165   |          |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27223   | MEDIUM   |                   | 9.4.36.v20210114, 10.0.1,      | jetty: request containing                                 |
|                                                          |                  |          |                   | 11.0.1                         | multiple Accept headers with                              |
|                                                          |                  |          |                   |                                | a large number of "quality"...                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27223                     |
+----------------------------------------------------------+------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-webapp                           | CVE-2020-27216   | HIGH     |                   | 9.3.29, 9.4.33, 11.0.1         | jetty: local temporary directory                          |
|                                                          |                  |          |                   |                                | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27218   | MEDIUM   |                   | 9.4.35.v20201120, 11.0.1       | jetty: buffer not correctly                               |
|                                                          |                  |          |                   |                                | recycled in Gzip Request inflation                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27218                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.mybatis:mybatis                                      | CVE-2020-26945   | HIGH     | 3.1.1             | 3.5.6                          | mybatis: mishandles deserialization                       |
|                                                          |                  |          |                   |                                | of object streams which could                             |
|                                                          |                  |          |                   |                                | result in remote code...                                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26945                     |
+----------------------------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------------------------+
| xerces:xercesImpl                                        | CVE-2012-0881    |          | 2.9.1             | 2.12.0                         | xml: xerces-j2 hash table collisions                      |
|                                                          |                  |          |                   |                                | CPU usage DoS (oCERT-2011-003)                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2012-0881                      |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2013-4002    |          |                   |                                | Xerces-J2 OpenJDK: XML parsing                            |
|                                                          |                  |          |                   |                                | Denial of Service (JAXP, 8017298)                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2013-4002                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2009-2625    | MEDIUM   |                   | 2.10.0                         | xerces-j2, JDK: XML parsing                               |
|                                                          |                  |          |                   |                                | Denial-Of-Service (6845701)                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2009-2625                      |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23437   |          |                   | 2.12.2                         | xerces-j2: infinite loop                                  |
|                                                          |                  |          |                   |                                | when handling specially                                   |
|                                                          |                  |          |                   |                                | crafted XML document payloads                             |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23437                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+

Docker run exited: Can't read /opt/connect/conf/mirth.properties: Permission denied

OS: Ubuntu Server 16.04.6
Docker version: 19.03.6

The "docker run" command that is on the Nextgen Docker hub starts the container but exits immediately after starting with the following error: sed: can't read /opt/connect/conf/mirth.properties: Permission denied. This problem occurs since this week (19/02/2020) and occurs on multiple servers.

Version 3.8.0 starts without errors.

nextgenhealthcare / connect-docker Goto Github PK

connect-docker's People

Contributors

Stargazers

Watchers

Forkers

connect-docker's Issues

Scanned

Java (jar)

Recommend Projects

Recommend Topics

Recommend Org