CPBR-2901: Updating docker dependencies for 8.0.2-cp2 to fix CVEs

base-java/Dockerfile.ubi9

@@ -5,6 +5,9 @@ ARG DOCKER_UPSTREAM_TAG
 ARG GOLANG_VERSION
 ARG UBI_MINIMAL_VERSION
 ARG OPENSSL_VERSION
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
 
 FROM docker.io/golang:${GOLANG_VERSION} AS build-ub-package-dedupe
 RUN useradd --no-log-init --create-home --shell /bin/bash appuser
@@ -24,6 +27,10 @@ FROM registry.access.redhat.com/ubi9-minimal:${UBI_MINIMAL_VERSION} AS REFRESH
 ARG OPENSSL_VERSION
 ARG PROJECT_VERSION
 ARG ARTIFACT_ID
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
+ARG TEMURIN_JDK_VERSION
 
 # Remember where we came from
 LABEL io.confluent.docker.git.repo="confluentinc/common-docker"
@@ -55,47 +62,65 @@ gpgcheck=1 \n\
 gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
 " > /etc/yum.repos.d/adoptium.repo
 
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
+# Install system packages first to establish baseline
+RUN microdnf --nodocs -y install yum \
+    && yum --nodocs -q update -y \
+    && microdnf install -y \
+        "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \
+        "findutils${FINDUTILS_VERSION}" \
+        "hostname${HOSTNAME_VERSION}" \
+        "temurin-21-jre${TEMURIN_JDK_VERSION}" \
+    && yum clean all \
+    && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
 
 # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
 # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
 # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
 # For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description
-RUN microdnf --nodocs -y install yum \
-    && yum --nodocs -q update -y \
-    && yum --nodocs -q install -y wget tar gzip make perl gcc \
+RUN yum --nodocs -q install -y wget tar gzip make perl gcc \
     && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \
     && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
     && cd openssl${OPENSSL_VERSION} \
-    && echo "installing FIPS compliant openssl" \
-    && ./Configure enable-fips \
+    && echo "installing FIPS compliant openssl to /opt/openssl-fips" \
+    && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
     && make > /dev/null 2>&1 \
     && make install > /dev/null 2>&1 \
     && echo "successfully installed FIPS compliant openssl" \
+    && echo "initializing FIPS module..." \
+    && FIPS_MODULE_PATH=$(find /opt/openssl-fips/lib* -name "fips.so" | head -1) \
+    && echo "Found FIPS module at: ${FIPS_MODULE_PATH}" \
+    && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module ${FIPS_MODULE_PATH} \
+    && echo "FIPS module initialized successfully" \
     && cd .. \
     && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \
     && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \
-    && microdnf install -y \
-        "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \
-        "findutils${FINDUTILS_VERSION}" \
-        "hostname${HOSTNAME_VERSION}" \
-        "temurin-21-jre${TEMURIN_JDK_VERSION}" \
     && yum clean all \
     && rm -rf /tmp/* \
     && mkdir -p /etc/confluent/docker /usr/logs \
     && useradd --no-log-init --create-home --shell /bin/bash appuser \
     && chown appuser:appuser -R /etc/confluent/ /usr/logs \
-    && mkdir /licenses \
-    && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+    && mkdir /licenses
 
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+# Enable FIPS in docker image BEFORE setting FIPS OpenSSL environment variables
+# This avoids library conflicts with system Python during crypto-policies update
 RUN update-crypto-policies --set FIPS
 
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /usr/local/lib
+# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Also include the FIPS OpenSSL installation path for library discovery
+# Set AFTER crypto-policies update to avoid interfering with system Python
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
+
+# Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured
+ENV FIPS_OPENSSL_PATH=/opt/openssl-fips
+ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH
+ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf
+
+# Copy FIPS configuration file
 COPY license.txt /licenses
-COPY openssl-fips.cnf  /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
+
 COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe
 COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub
 

base-java/openssl-fips.cnf

@@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7
 # fips provider. It contains a named section e.g. [fips_sect] which is
 # referenced from the [provider_sect] below.
 # Refer to the OpenSSL security policy for more information.
-.include /usr/local/ssl/fipsmodule.cnf
+.include /opt/openssl-fips/ssl/fipsmodule.cnf
 
 [openssl_init]
 providers = provider_sect
@@ -61,6 +61,10 @@ fips = fips_sect
 [alg_sect]
 default_properties = fips=yes
 
+# FIPS provider configuration - this section is referenced from [provider_sect]
+[fips_sect]
+activate = 1
+
 # If no providers are activated explicitly, the default one is activated implicitly.
 # See man 7 OSSL_PROVIDER-default for more details.
 #

base/Dockerfile.ubi9

@@ -63,6 +63,8 @@ ARG HOSTNAME_VERSION=""
 ARG XZ_LIBS_VERSION=""
 ARG GLIBC_VERSION=""
 ARG CURL_VERSION=""
+ARG FINDUTILS_VERSION=""
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION=""
 
 # Temurin JDK version
 ARG TEMURIN_JDK_VERSION=""
@@ -86,29 +88,9 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
 " > /etc/yum.repos.d/adoptium.repo
 
 
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
-
-# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
-# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
-# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
-# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description
+# Install system packages first to establish baseline and avoid Python conflicts
 RUN microdnf --nodocs -y install yum \
     && yum --nodocs -q update -y \
-    && yum --nodocs -q install -y wget tar gzip make perl gcc \
-    && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \
-    && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
-    && cd openssl${OPENSSL_VERSION} \
-    && echo "installing FIPS compliant openssl" \
-    && ./Configure enable-fips \
-    && make > /dev/null 2>&1 \
-    && make install > /dev/null 2>&1 \
-    && echo "successfully installed FIPS compliant openssl" \
-    && cd .. \
-    && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \
-    && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \
     && yum --nodocs install -y --setopt=install_weak_deps=False \
         git \
         "wget${WGET_VERSION}" \
@@ -132,16 +114,55 @@ RUN microdnf --nodocs -y install yum \
     && python3 -m pip install --upgrade "setuptools${PYTHON_SETUPTOOLS_VERSION}" \
     && python3 -m pip install --prefer-binary --prefix=/usr/local --upgrade "${PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC}" \
     && yum remove -y git \
+    && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+
+# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
+# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
+# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
+# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description
+RUN yum --nodocs -q install -y wget tar gzip make perl gcc \
+    && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \
+    && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
+    && cd openssl${OPENSSL_VERSION} \
+    && echo "installing FIPS compliant openssl to /opt/openssl-fips" \
+    && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
+    && make > /dev/null 2>&1 \
+    && make install > /dev/null 2>&1 \
+    && echo "successfully installed FIPS compliant openssl" \
+    && echo "initializing FIPS module..." \
+    && FIPS_MODULE_PATH=$(find /opt/openssl-fips/lib* -name "fips.so" | head -1) \
+    && echo "Found FIPS module at: ${FIPS_MODULE_PATH}" \
+    && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module ${FIPS_MODULE_PATH} \
+    && echo "FIPS module initialized successfully" \
+    && cd .. \
+    && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \
+    && yum remove -y wget tar gzip make perl gcc --setopt=clean_requirements_on_remove=1 \
     && yum clean all \
     && rm -rf /tmp/* \
     && mkdir -p /etc/confluent/docker /usr/logs \
     && useradd --no-log-init --create-home --shell /bin/bash appuser \
-    && chown appuser:appuser -R /etc/confluent/ /usr/logs \
-    && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+    && chown appuser:appuser -R /etc/confluent/ /usr/logs
 
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+# Enable FIPS in docker image BEFORE setting FIPS OpenSSL environment variables
+# This avoids library conflicts with system Python during crypto-policies update
 RUN update-crypto-policies --set FIPS
 
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /usr/local/lib
+# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Also include the FIPS OpenSSL installation path for library discovery
+# Set AFTER crypto-policies update to avoid interfering with system Python
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
+
+# Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured
+ENV FIPS_OPENSSL_PATH=/opt/openssl-fips
+ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH
+ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf
+
+# Copy FIPS configuration file
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
+
+
 # This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed.
 # The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which
 # is not advisable in terms of security posture. If set to false (which triggers a shell exit(1) if the check fails from the left
@@ -153,7 +174,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}"
 
 COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
 COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
-COPY openssl-fips.cnf  /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
 
 COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker
 COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new

base/openssl-fips.cnf

@@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7
 # fips provider. It contains a named section e.g. [fips_sect] which is
 # referenced from the [provider_sect] below.
 # Refer to the OpenSSL security policy for more information.
-.include /usr/local/ssl/fipsmodule.cnf
+.include /opt/openssl-fips/ssl/fipsmodule.cnf
 
 [openssl_init]
 providers = provider_sect
@@ -61,6 +61,10 @@ fips = fips_sect
 [alg_sect]
 default_properties = fips=yes
 
+# FIPS provider configuration - this section is referenced from [provider_sect]
+[fips_sect]
+activate = 1
+
 # If no providers are activated explicitly, the default one is activated implicitly.
 # See man 7 OSSL_PROVIDER-default for more details.
 #

pom.xml

@@ -35,27 +35,25 @@
         <docker.tag>${io.confluent.common-docker.version}-${docker.ubi9.os_type}</docker.tag>
         <io.confluent.common-docker.version>8.0.2</io.confluent.common-docker.version>
         <!-- Versions-->
-        <ubi8.image.version>8.10-1755105495</ubi8.image.version>
-        <ubi9.micro.image.version>9.6-1754345610</ubi9.micro.image.version>
-        <ubi9.minimal.image.version>9.6-1760515502</ubi9.minimal.image.version>
+        <ubi8.image.version>8.10-1761032271</ubi8.image.version>
+        <ubi9.micro.image.version>9.7-1762965531</ubi9.micro.image.version>
+        <ubi9.minimal.image.version>9.7-1762956380</ubi9.minimal.image.version>
         <ubi9.openssl.version>1:3.2.2-6.el9_5.1</ubi9.openssl.version>
         <!-- OpenSSL version that is FIPS compliant -->
         <fips.openssl.version>3.1.2</fips.openssl.version>
         <!-- Redhat Package Versions -->
         <ubi9.wget.version>1.21.1-8.el9_4</ubi9.wget.version>
         <ubi9.netcat.version>7.92-3.el9</ubi9.netcat.version>
-        <ubi9.python39.version>3.9.21-2.el9_6.2</ubi9.python39.version>
-        <ubi9.tar.version>1.34-7.el9</ubi9.tar.version>
-        <ubi9.wget.version>1.21.1-8.el9_4</ubi9.wget.version>
-        <ubi9.netcat.version>7.92-3.el9</ubi9.netcat.version>
+        <ubi9.python39.version>3.9.23-2.el9</ubi9.python39.version>
+        <ubi9.tar.version>2:1.34-7.el9</ubi9.tar.version>
         <ubi9.procps.version>3.3.17-14.el9</ubi9.procps.version>
         <ubi9.krb5.workstation.version>1.21.1-8.el9_6</ubi9.krb5.workstation.version>
-        <ubi9.iputils.version>20210202-11.el9_6.3</ubi9.iputils.version>
+        <ubi9.iputils.version>20210202-15.el9_7</ubi9.iputils.version>
         <ubi9.hostname.version>3.23-6.el9</ubi9.hostname.version>
         <ubi9.xzlibs.version>5.2.5-8.el9_0</ubi9.xzlibs.version>
-        <ubi9.glibc.version>2.34-168.el9_6.23</ubi9.glibc.version>
+        <ubi9.glibc.version>2.34-231.el9_7.2</ubi9.glibc.version>
         <ubi9.findutils.version>1:4.8.0-7.el9</ubi9.findutils.version>
-        <ubi9.crypto.policies.scripts.version>20240828-2.git626aa59.el9_5</ubi9.crypto.policies.scripts.version>
+        <ubi9.crypto.policies.scripts.version>20250905-1.git377cc42.el9_7</ubi9.crypto.policies.scripts.version>
         <!-- Python Module Versions -->
         <ubi9.python.pip.version>21.3.1-1.el9</ubi9.python.pip.version>