Docker-security scanning listed many major and critical vulnerabilities at:
https://hub.docker.com/_/amazoncorretto/scans/library/amazoncorretto/8

Is there a plan to address these in the official image?

Hi Team,
we need ALAS2-2019-1153 security vulnerability to be fixed.
Because OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. (CVE-2018-0734 )

Hello,

I see that there is a debian flavor under contrib/debian/Dockerfile but do not see the docker image in dockerhub. Can the debian image be published as well to dockerhub?

Thanks,
An

Attempting to play around with Corretto and experiencing issue path:

ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.

Can you please help me resolve this issue? Thank you.

In addition to the JDK, used to BUILD an application, you guys should provide a JRE version for only the RUNTIME.

Users can use the image using a Multi-stage build. That way, the Runtime image should be much smaller.

• Other reasons include security (not exposing javac to runtime systems)

Let's add a test framework so that we can verify the image between releases. This will help with #20 .

Announcement

The amazoncorretto docker development has been fully migrated to the new corretto/corretto-docker repository. This repository will be archived.

For each open issue under this repository, the Corretto team will replicate it on behalf of the requester under the new repository.

When 8u212 becomes available today, we should also update it here.

Hi I am trying to build the amazon corretto image based on the docker file for correttot-8-docker.
But I am getting below error.

[INFO] DOCKER> [91mcurl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.proxy

It is not able to download the java rpm through corporate proxy

The current Dockerfile builds 8.202.08.1 while 8.202.08.2 has been released later the same day, but not reflected in the Dockerfile.

Issue reported at https://twitter.com/chanezon/status/1062832736547700737

issue in https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/docker-install.html … cc @arungupta

docker build -t amazon-corretto-8 [email protected]:corretto/corretto-8-docker.git
unable to prepare context: unable to 'git clone' to temporary context directory: error fetching: 
[email protected]: Permission denied (publickey).

An issue in Corretto 8 Docker Images

Changes to the docker file
FROM amazonlinux:2

x86_64 args

ARG rpm_x64=java-1.8.0-amazon-corretto-1.8.0_232.b09-1.amzn2.0.1.x86_64.rpm

aarch64 args

ARG rpm_aarch64=java-1.8.0-amazon-corretto-1.8.0_232.b09-1.amzn2.0.1.aarch64.rpm

Failed dependencies:

Get the following error when try to build the docker image

error: Failed dependencies:
dejavu-sans-fonts is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
dejavu-sans-mono-fonts is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
dejavu-serif-fonts is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
giflib is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
jpackage-utils is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libGL.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libX11.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXext.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXi.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXrender.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXtst.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXxf86vm.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libasound.so.2()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libasound.so.2(ALSA_0.9)(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libasound.so.2(ALSA_0.9.0rc4)(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libatk-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libcairo.so.2()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libfontconfig.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libfreetype.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgdk-x11-2.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgdk_pixbuf-2.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgif.so.4()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgtk-x11-2.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libpango-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libpangocairo-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libpangoft2-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
The command '/bin/sh -c set -eux; case "$(uname -p)" in x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;; aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;; *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;; esac; curl -O $path/$rpm && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key && gpg --armor --export $key > corretto.asc && rpm --import corretto.asc && rpm -K $rpm && rpm -i $rpm && rm -r $GNUPGHOME corretto.asc $rpm && yum install -y fontconfig && yum clean all' returned a non-zero code: 1

Hi,
we're seeing that amazoncorretto:8u232 was released a couple of hours ago to docker hub (https://hub.docker.com/_/amazoncorretto?tab=tags) but amazoncorretto:8 and amazoncorretto:latest we're not updated accordingly and still are on 8u222.

Same is true for amazoncorretto:11

This is not what I would expect from these tags. Is there something wrong in the publishing pipeline?

As amazoncorretto is not installed via Amazon Linux Repo but manually as a rpm package with a different package name -devel it can't be picked up by security scanners that there is a vulnerable outdated version.

Is there a reason as to why you manually download rpm packages rather than using the packages distributed by the Amazon Linux repo?
As of now I only see downsides to the manual installation process:

• it's more complex
• it suppresses additional information like ALAS entries and upgrade possibilities via yum

Right now there are two trust stores in the Docker image:

• /etc/pki/ca-trust/extracted/java/cacerts
• /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts

Amazon Corretto 8 is using the latter:

Inaccessible trust store: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/jssecacerts
trustStore is: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:

But importing the for example the rds-combined-ca-bundle.pem with keytool to /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts doesn't work as only the first certificate in the bundle is imported. Possible solutions would be either to split rds-combined-ca-bundle.pem to separate certificates and import them one-by-one or to convert the bundle to PKCS#7...

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect.html

It is a lot easier to import rds-combined-ca-bundle.pem to /etc/pki/ca-trust/extracted/java/cacerts:

QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

  add it as a new file to directory /etc/pki/ca-trust/source/anchors/
  run update-ca-trust extract

https://www.systutorials.com/docs/linux/man/8-update-ca-trust/

ADD rds-combined-ca-bundle.pem /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem
RUN update-ca-trust extract \
  && ln -fs /etc/pki/ca-trust/extracted/java/cacerts ${JAVA_HOME}/jre/lib/security/cacerts

Is there a good reason NOT to link ${JAVA_HOME}/jre/lib/security/cacerts to /etc/pki/ca-trust/extracted/java/cacerts per default in the Docker image?

Related to corretto/corretto-8#171.

I see that Ubunto and RHEL support is planned for the Corrretto 8 GA drop in 1Q. Are there any plans to add other supported UNIX distributions such as SUSE?

Hi there,

the lookup for the key C554E802F4545B60919A0A87BD93DF06B540D62A fails
Lookup via web gives a "No results found"
http://ha.pool.sks-keyservers.net/pks/lookup?search=C554E802F4545B60919A0A87BD93DF06B540D62A&fingerprint=on&op=index

% docker build .
Sending build context to Docker daemon  163.3kB
Step 1/9 : FROM amazonlinux:2
 ---> b94321659aca
Step 2/9 : ARG rpm_x64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
 ---> Running in 763a22513282
Removing intermediate container 763a22513282
 ---> 48b547be5cf1
Step 3/9 : ARG path_x64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
 ---> Running in 92c4b8389045
Removing intermediate container 92c4b8389045
 ---> 5408469d1224
Step 4/9 : ARG key_x64=C554E802F4545B60919A0A87BD93DF06B540D62A
 ---> Running in 4d1ead876785
Removing intermediate container 4d1ead876785
 ---> bd32ad937e18
Step 5/9 : ARG rpm_aarch64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-4.aarch64.rpm
 ---> Running in 7940284d22e7
Removing intermediate container 7940284d22e7
 ---> f4f710e08495
Step 6/9 : ARG path_aarch64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.4
 ---> Running in cf1c1def4a3a
Removing intermediate container cf1c1def4a3a
 ---> a7942a3e2665
Step 7/9 : ARG key_aarch64=826272FACCCCC8E76897C26CE9B1F93E1A158134
 ---> Running in e3b3063e5e10
Removing intermediate container e3b3063e5e10
 ---> de9c44f857b2
Step 8/9 : RUN set -eux;     case "$(uname -p)" in         x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;;         aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;;         *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;;     esac;         curl -O $path/$rpm     && export GNUPGHOME="$(mktemp -d)"     && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key     && gpg --armor --export $key > corretto.asc     && rpm --import corretto.asc     && rpm -K $rpm     && rpm -i $rpm     && rm -r $GNUPGHOME corretto.asc $rpm     && yum install -y fontconfig     && yum clean all
 ---> Running in 3b3230d7ca95
+ case "$(uname -p)" in
++ uname -p
+ rpm=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
+ path=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
+ key=C554E802F4545B60919A0A87BD93DF06B540D62A
+ curl -O https://d3pxv6yz143wms.cloudfront.net/8.222.10.1/java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  111M  100  111M    0     0  12.7M      0  0:00:08  0:00:08 --:--:-- 17.4M
++ mktemp -d
+ export GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys C554E802F4545B60919A0A87BD93DF06B540D62A
gpg: keyring `/tmp/tmp.jzzxTOi6f0/secring.gpg' created
gpg: keyring `/tmp/tmp.jzzxTOi6f0/pubring.gpg' created
gpg: requesting key B540D62A from hkp server ha.pool.sks-keyservers.net
gpg: keyserver timed out
gpg: keyserver receive failed: Keyserver error
The command '/bin/sh -c set -eux;     case "$(uname -p)" in         x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;;         aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;;         *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;;     esac;         curl -O $path/$rpm     && export GNUPGHOME="$(mktemp -d)"     && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key     && gpg --armor --export $key > corretto.asc     && rpm --import corretto.asc     && rpm -K $rpm     && rpm -i $rpm     && rm -r $GNUPGHOME corretto.asc $rpm     && yum install -y fontconfig     && yum clean all' returned a non-zero code: 2

best regards,
Serbest

Remove binary files from history.
Despite being delted git clone takes 76 Mb

>docker build -t amazon-corretto-8 github.com/corretto/corretto-8-docker
Sending build context to Docker daemon  76.71MB
Step 1/3 : FROM amazonlinux:2

consider using force-push from new local repo, or use tool like filter-branch, rebase -i or BFG to remove binary bloat

JAVA_HOME currently points to /usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64, but JVM actually resides in /usr/lib/jvm/java-1.8.0-amazon-corretto:

sh-4.2# echo $JAVA_HOME
/usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64

sh-4.2# ls $JAVA_HOME
ls: cannot access /usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64: No such file or directory

sh-4.2# ls /usr/lib/jvm/java-1.8.0-amazon-corretto
ASSEMBLY_EXCEPTION  LICENSE  THIRD_PARTY_README  bin  include  javafx-src.zip  jre  lib  man  src.zip  version.txt

On Amazon Linux 2, jre/lib/security/cacerts is a symlink to /etc/pki/java/cacerts. This enables update-ca-trust to update the java runtime's trust store. However, this image does not do this so updating the system trust stores via update-ca-trust does not update the java trust store.

My current workaround is to copy /etc/pki/ca-trust/extracted/java/cacerts over the JVM's cacerts file after running update-ca-trust.

I print some chinese words into the file using log4j2. When I want to see the content of file by using "tail" ,I found that all of the chinese words in the file are “???”.

I'm wondering where this comes from

ARG rpm_x64=java-1.8.0-amazon-corretto-devel-1.8.0_232.b09-1.x86_64.rpm
ARG path_x64=https://d3pxv6yz143wms.cloudfront.net/8.232.09.1
ARG key_x64=E8EB406377AD2B9E9A4765D19CB3BC6FF6C9FC19

I'd expect the RPM's to be from corretto.aws (which is the "site" that AWS lists), not an unmapped cloudfront distro. However, the one you have above is relocatable (yay), and their one isn't.

Any idea? I've made a lambda layer based on the above rpm's (hence relocatable), so I'm going to need to watch your stuff to make sure I bump versions as needed

Thanks

Hi, it seems the used base image amazonlinux:2 has publicly known vulnerabilities since at least Sep 19th that have fixes available that are not yet part of the latest image which was published 25days ago.
See upstream issue at https://forums.aws.amazon.com/thread.jspa?threadID=310554&tstart=0

Do you monitor corretto images for security issues? Is there something that should be improved in the publishing process?

I cannot build the Dockerfile anymore because the gpg key seems to be missing.

gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys E8EB406377AD2B9E9A4765D19CB3BC6FF6C9FC19

results in

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key F6C9FC19 from hkp server ha.pool.sks-keyservers.net
gpgkeys: key E8EB406377AD2B9E9A4765D19CB3BC6FF6C9FC19 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

http://ha.pool.sks-keyservers.net/pks/lookup?search=0xF6C9FC19&op=vindex

How can I add a user to my image, if I don't want to runn the app as root?

Do you plan on building an Alpine based docker image? This is much smaller and perfect for microservices running on ECS.

See https://github.com/docker-library/repo-info/blob/master/repos/amazoncorretto/local/8.md

$ docker run --rm amazoncorretto:8 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=05cbf6b80a21
HOME=/root

$ docker run --rm amazoncorretto:11 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=c56b19925283
JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
HOME=/root

Could this be made available on Docker Hub? I think it would be quite straightforward to set up an Automated Build repository over there that builds from this repository

Hello support team

I'm facing the following problem addressing the Amazon Linux 2 Security Advisory: ALAS-2020-1406.
I updated my dockerfile to following the Security Advisory by adding yum update openssl.

https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html

Unfortunately the images scanning keeps showing me the high risk vulnerability. I simplified my docker file almost to zero custom code.

Here is my base image docker file

# ---- Base Node ----
FROM amazoncorretto AS base
# set working directory
# Create app directory
RUN yum update kernel --assumeyes
RUN yum update libarchive --assumeyes
RUN yum update openssl --assumeyes
RUN yum update sqlite --assumeyes

previously. I opened an technical assistance request on through AWS support system but was
redirected to AWS JDK team. They believe that the issue is with the base image itself. As the base image amazoncorretto may not have the required packages for update in the mirror list, it was unable find the new patch for openssl. I see the CVE mentioned has been released on 2020-03-25 21:45 Pacific.

The image build is done on my local machine
Docker engine version:

Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:03:51 2017
OS/Arch: darwin/amd64

Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:29 2017
OS/Arch: linux/amd64
Experimental: false

Hi,

I've noticed that you provide some pre-release packages of Corretto 8 via https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html also for aarch64.

Just wanted to ask if we will see official images in Docker Hub within the next weeks or months?

Thank you.