Upgrade openssl to resolve DSA-5139-1 for Docker openjdk:17.0-jdk-slim-bullseye

Question

I am using the Debian JDK image in my docker file which introduced a security vulnaribilty DSA-5139-1 [https://snyk.io/test/docker/openjdk%3A17.0-jdk-slim-bullseye]

This is my docker file -

FROM openjdk:17-jdk-slim-bullseye

RUN apt-get update \
    && apt-get install -y ca-certificates wget bash

When I build image, it gives me below version of openssl -

C:\docker-test>docker run -it openssl_test openssl version
OpenSSL 1.1.1n  15 Mar 2022

I tried to install OpenSSL 1.1.1o forcefully but when I get into bash and run openssl version, it always shows me the same version (1.1.1n) -

FROM openjdk:17-jdk-slim-bullseye

RUN apt-get -y remove openssl

RUN apt-get update \
    && apt-get install -y ca-certificates wget bash
    
RUN wget https://www.openssl.org/source/openssl-1.1.1o.tar.gz 

Then I tried below to force the installation of openssl 1.1.1o but seems "tar" doesn't work -

FROM openjdk:17-jdk-slim-bullseye

RUN apt-get -y remove openssl

RUN apt-get update \
    && apt-get install -y ca-certificates wget bash \
    && wget https://www.openssl.org/source/openssl-1.1.1o.tar.gz \
    && tar -xzvf openssl-1.1.1o
    
WORKDIR /openssl-1.1.1o
RUN ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl && make && make install

I get this error while building image -

#5 12.01 2022-05-20 19:22:46 (3.01 MB/s) - ‘openssl-1.1.1o.tar.gz’ saved [9856386/9856386]
#5 12.01
#5 12.01 tar (child): openssl-1.1.1o: Cannot open: No such file or directory
#5 12.01 tar (child): Error is not recoverable: exiting now
#5 12.01 tar: Child returned status 2
#5 12.01 tar: Error is not recoverable: exiting now

Any help would be appreciated.

Answer 1

This got worked for me -

FROM openjdk:17-jdk-slim-bullseye

# Perl is required to install openssl
RUN apt-get update \
    && apt-get install -y ca-certificates wget bash \
    && apt-get -qy install perl

# Remove current openssl               
RUN apt-get -y remove openssl

# This is required to run “tar” command
RUN apt-get -qy install gcc 

RUN apt-get -q update && apt-get -qy install wget make \
    && wget https://www.openssl.org/source/openssl-1.1.1o.tar.gz \
    && tar -xzvf openssl-1.1.1o.tar.gz \
    && cd openssl-1.1.1o \
    && ./config \
    && make install

ENV PATH "$PATH:/usr/local/ssl/bin"

And this shows the current version -

C:\docker-test>docker run -it openssl_test /bin/bash
root@e28ea8c1fb63:/# openssl version
OpenSSL 1.1.1o  3 May 2022 (Library: OpenSSL 1.1.1n  15 Mar 2022)

Answer 2

    It depends on how it does the check.  Often it will look at 2 things. 

free -m (or -g) and cat /proc/cpuinfo

then it will grep for something, so you fake the output with an echo

and replace mem and proc with the appropriate amount

echo " total used free shared buff/cache available Mem: 32417152 12002948 16547220 48080 3866984 19974332 Swap: 12582908 0 12582908"
Paste this script into the command line then run your install.

cd /usr/bin mv nproc nproc2 
mv free free2 
echo "echo 16">nproc 
chmod +x nproc 
echo echo "              total        used        free      shared          buff/cache   available">free 
echo echo " Mem:             64  
0          48           0          11          39 " >>free 
echo    echo "Swap:            11           0          11" >>free 
chmod +x free