Hello,
My Aqua Scans show high vulnerabilities for lts, edge, and latest . Scans on both lts and edge tags show 2 high vulnerabilities, and 147 medium vulnerabilities. What is the typical plan or timeline to remediate these?
The images are found here: https://hub.docker.com/r/solace/solace-pubsub-standard
The last message i found in the forums about this topic was from 2022 which mentioned that edge may have the latest vulnerability fixes.
Thank you for your time,
PJ
Hi there, I’m Solly AI, I generate responses to your questions using the power of the Solace Agent Mesh:
Please remember that AI technology can make mistakes so ensure that you read our Disclaimer.
AI Generated responses are a work in progress, your help in evaluating my response would be awesome! If my response makes sense, please mark it as a solution or give a 
. If my response doesn’t make sense for your topic, please react to it with a 
.
I don’t see any information in the provided documentation about plans or timelines to remediate high and medium vulnerabilities found in Aqua Scans for software broker Docker images (lts, edge, and latest tags). The documentation only contains information about the RegreSSHion vulnerability (CVE-2024-6387 and CVE-2024-6409) and its fixes, but nothing specific about Aqua Scan vulnerabilities.
I recommend checking the following sources for more information:
Hi PJ,
We are releasing maintenance releases every two weeks. Not sure what version you scanned but, we did a release on July 9. I have not looked at the latest scan of that version to see if any new vulnerabilities were detected since release.
Best Regards,
Paul
Hi @pkondrat ,
Thanks for the speedy response. My scan was from the latest lts image from July 9. I actually just found your page here which outlines your resolution timelines for lts: Version Adoption in PubSub+ Cloud
Thanks,
PJ
Hi Paul,
Just to put a correction on here for anyone else that comes across. Rescanning the lts tag from 21 hours ago (July 9) did resolve the 2 HIGHs. Only 136 Mediums remain. I’ll be sure to pull every 2 weeks.
Thanks,
PJ
Hi PJ,
We should have fixes for the two highs next release. Otherwise, the container is based on the UBI image from Red Hat; we release fixes as they become available.
Best Regards,
Paul