Hi,
we are interested in using SAP's official SAP Container-Image hosted at https://hub.docker.com/r/sapse/abap-cloud-developer-trial.
However, we noticed that this image has not been updated in over six months. After scanning it with Trivy, we identified the following critical vulnerabilities:
1. CVE-2024-52316 - catalina.jar (version 9.0.90)
2. CVE-2025-24813 - catalina.jar (version 9.0.90)
3. CVE-2024-24790 - in the proprietary binary /usr/local/bin/abaptrialinit
We are likely able to patch the Tomcat-related issues (1 and 2) ourselves by replacing catalina.jar with version 9.0.99, which contains the official security fixes provided by Apache.
However, regarding CVE-2024-24790, the affected file /usr/local/bin/abaptrialinit is a proprietary binary owned by SAP (and the container's entrypoint). As such, we are unable to patch it ourselves.
Please note that our company security policies prohibit the use of any container image with critical vulnerabilities. Therefore, we kindly request an updated version of the image or guidance on how to mitigate this issue.
This is the scan-report:
8f49966c16f3 (sles 15.3)
Total: 0 (CRITICAL: 0)
2025-03-28T08:02:37+01:00 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 2 (CRITICAL: 2)
┌──────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.apache.tomcat:tomcat-catalina (catalina.jar) │ CVE-2024-52316 │ CRITICAL │ fixed │ 9.0.90 │ 9.0.96, 10.1.30, 11.0.1 │ tomcat: Apache Tomcat: Authentication bypass when using │
│ │ │ │ │ │ │ Jakarta Authentication API │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-52316 │
│ ├────────────────┤ │ │ ├─────────────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2025-24813 │ │ │ │ 11.0.3, 10.1.35, 9.0.99 │ tomcat: Potential RCE and/or information disclosure and/or │
│ │ │ │ │ │ │ information corruption with partial PUT... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-24813 │
└──────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────┴────────────────────────────────────────────────────────────┘
usr/local/bin/abaptrialinit (gobinary)
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ v1.20.4 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
Thank you for your support.
Best Regards,
Dennis
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.