I’m new to Jenkins and trying to update an inherited existing installation, which is based on docker image jenkins/jenkins:2.426.1-lts-jdk11. Upgrading to the latest LTS image version, jenkins/jenkins:2.492.1-lts-jdk17 took a while, but seems to have gone ok.
However, if I where to pull that 2.492.1 image from docker hub and push it into AWS ECR with no changes, where AWS does an automated scan, it tells me the image has three critical vulnerabilities:
CVE-2020-10683
CVE-2019-17571
CVE-2022-23305
Bearing in mind the age of those CVEs, is it really true that that latest LTS image of Jenkins has such old vulnerabilities?
We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):
Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we may inform maintainers about the need to update their dependencies and track progress in the SECURITY Jira project, no security advisory will be published for these.
Since the Jenkins project did not report a security advisory for any of those three CVE’s, you can be confident that Jenkins is not vulnerable to those issues.
You may also want to advise Amazon that there may be an issue with their scanner. They are flagging an issue in the dom4j jar file but the CVE reports that the issue is only in dom4j-2.1.3 and earlier. Jenkins 2.492.2 includes dom4j 2.1.4.
If container image scanning results are a significant concern in your organization, you may want to switch from jenkins/jenkins:2.492.1-lts-jdk17 to jenkins/jenkins:2.492.1-lts-rhel-ubi9-jdk17 or jenkins/jenkins:2.492.1-lts-rhel-ubi9-jdk21. Scanners report fewer vulnerabilities in the UBI-9 base image than in the Debian base image. Likewise, the Alpine container images have fewer issues reported by scanners, if scanner reported issues are important to your organization.