A CVE has been discovered in Python. See
https://exchange.xforce.ibmcloud.com/vulnerabilities/219613.
This affects all apps that are running on the UBI Base Image of Python 3.6, as the version of Python in that base image is
3.6.8.
Solution
Update the
FROM line in your app's Dockerfile to use the UBI Base Image of Python 3.9. The version of Python in this image is
3.9.6.
FROM registry.access.redhat.com/ubi8/python-39:latest
After you update the line, build the image and push it to your registry. If your app is on our App Exchange, you need to resubmit and go through our validation process.
The update applies only to those apps created by the community and business partners. Most apps owned by IBM have been or are being updated
Here is an example of fully updated Dockerfile.
# Base image using Red Hat's universal base image (rhel 8) for python
FROM registry.access.redhat.com/ubi8/python-39:latest
ARG APPLICATION=fn_my_app
ARG RESILIENT_CIRCUITS_VERSION=45.0.0
ARG PATH_RESILIENT_CIRCUITS=rescircuits
# Environment variable for any app to check if running in a container
ARG APP_HOST_CONTAINER=1
ENV APP_HOST_CONTAINER=${APP_HOST_CONTAINER}
# Update to latest packages, user 0 for root privilege
USER 0
# Update to latest pip
RUN pip install --upgrade pip
# install resilient-circuits
RUN pip install "resilient-circuits>=${RESILIENT_CIRCUITS_VERSION}"
## ---- section for changes ----
# install the base package
COPY ./dist /tmp/packages
RUN pip install /tmp/packages/${APPLICATION}-*.tar.gz
## ---- end section for changes ----
# set up configuration and log locations using /etc and /var/log, the conventional locations for config and logs
RUN mkdir /etc/${PATH_RESILIENT_CIRCUITS}
ENV APP_CONFIG_FILE /etc/${PATH_RESILIENT_CIRCUITS}/app.config
# create arbitrary group for user 1001
RUN groupadd -g 1001 default && usermod -g 1001 default
# create directory for logs and set to be root group to allow access by non root processes
RUN mkdir /var/log/${PATH_RESILIENT_CIRCUITS} && \
chgrp -R 1001 /var/log/${PATH_RESILIENT_CIRCUITS} && \
chmod -R g=u /var/log/${PATH_RESILIENT_CIRCUITS}
ENV APP_LOG_DIR /var/log/${PATH_RESILIENT_CIRCUITS}
# setup entrypoint for read-only enterprise data used by integration, if needed
RUN mkdir /var/${PATH_RESILIENT_CIRCUITS}
# entrypoint for resilient-circuits. Use /opt, the conventional location for optional software on Linux
RUN mkdir /opt/${PATH_RESILIENT_CIRCUITS}
COPY entrypoint.sh /opt/${PATH_RESILIENT_CIRCUITS}/entrypoint.sh
# arbitrary user, support running as non-root. Required on OpenShift. Generally a good practice.
USER 1001
ENTRYPOINT [ "sh", "/opt/rescircuits/entrypoint.sh" ]