From 7a6cbe96194f011e8b43d3f0167a2568390dcc01 Mon Sep 17 00:00:00 2001 From: Sunny Wu Date: Wed, 25 Feb 2026 16:11:45 +1100 Subject: [PATCH 1/2] Upgrade gnutls to fix CVE-2026-1584 vulnerability Add explicit gnutls upgrade in Dockerfile to address HIGH severity vulnerability CVE-2026-1584 in gnutls 3.8.11-r0 (fixed in 3.8.12-r0) in the alpine base image. The vulnerability allows Remote Denial of Service via crafted ClientHello with invalid PSK. Jira: UID2-6655 Co-Authored-By: Claude Sonnet 4.6 --- Dockerfile | 2 +- scripts/azure-cc/Dockerfile | 2 +- scripts/gcp-oidc/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5fb795c79..2c0dcf800 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 # For Amazon Corretto Crypto Provider -RUN apk add --no-cache gcompat +RUN apk add --no-cache --upgrade gnutls gcompat WORKDIR /app EXPOSE 8080 diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index 7a2880aa3..c9c20cbde 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade gnutls && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \ diff --git a/scripts/gcp-oidc/Dockerfile b/scripts/gcp-oidc/Dockerfile index 7bc63c787..e0320353f 100644 --- a/scripts/gcp-oidc/Dockerfile +++ b/scripts/gcp-oidc/Dockerfile @@ -5,7 +5,7 @@ LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_E LABEL "tee.launch_policy.log_redirect"="always" # Install Packages -RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade libpng gnutls && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir google-cloud-secret-manager google-auth google-api-core packaging && \ From e1fdd9b3118b5ada5bd4bad2ea797c49f98985bf Mon Sep 17 00:00:00 2001 From: Sunny Wu Date: Fri, 27 Feb 2026 11:42:05 +1100 Subject: [PATCH 2/2] UID2-6655: Add CVE-2026-1584 to .trivyignore instead of upgrading gnutls gnutls is an OS-level library present in the alpine base image but is not used by our Java service. Upgrading it via apk introduces unnecessary risk of breaking system-level dependencies. The vulnerability (Remote DoS via crafted ClientHello) has no impact on our software. CVE-2026-1584 exp:2026-08-27 Co-Authored-By: Claude Sonnet 4.6 --- .trivyignore | 6 +++++- Dockerfile | 2 +- scripts/azure-cc/Dockerfile | 2 +- scripts/gcp-oidc/Dockerfile | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.trivyignore b/.trivyignore index 999b72643..1ef9b557f 100644 --- a/.trivyignore +++ b/.trivyignore @@ -6,4 +6,8 @@ CVE-2025-66293 exp:2026-06-15 # UID2-6481 -CVE-2025-68973 exp:2026-06-15 \ No newline at end of file +CVE-2025-68973 exp:2026-06-15 + +# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service +# See: UID2-6655 +CVE-2026-1584 exp:2026-08-27 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 2c0dcf800..5fb795c79 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 # For Amazon Corretto Crypto Provider -RUN apk add --no-cache --upgrade gnutls gcompat +RUN apk add --no-cache gcompat WORKDIR /app EXPOSE 8080 diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index c9c20cbde..7a2880aa3 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache --upgrade gnutls && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \ diff --git a/scripts/gcp-oidc/Dockerfile b/scripts/gcp-oidc/Dockerfile index e0320353f..7bc63c787 100644 --- a/scripts/gcp-oidc/Dockerfile +++ b/scripts/gcp-oidc/Dockerfile @@ -5,7 +5,7 @@ LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_E LABEL "tee.launch_policy.log_redirect"="always" # Install Packages -RUN apk update && apk add --no-cache --upgrade libpng gnutls && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir google-cloud-secret-manager google-auth google-api-core packaging && \