4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-22243
README.md
Rendering markdown...
POC / Dockerfile.oracle ORACLE
⬇ Raw GitHub ✕ Close 
# Edited by Sean Pesce from original source:
# https://github.com/oracle/docker-images/blob/4c60fd894234f6252f44b65ed6556b63523224d7/OracleJava/17/Dockerfile

# Copyright (c) 2020, 2022 Oracle and/or its affiliates.
#
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
#
# ORACLE DOCKERFILES PROJECT
# --------------------------
# This is the Dockerfile for Oracle JDK 17 on Oracle Linux 8
#
# REQUIRED FILES TO BUILD THIS IMAGE
# ----------------------------------
# This dockerfile will download a copy of JDK 17 from
#	https://download.oracle.com/java/17/latest/jdk-17_linux-<ARCH>_bin.tar.gz
# 
# It will use either x64 or aarch64 depending on the target platform
#
# HOW TO BUILD THIS IMAGE
# -----------------------
# Run:
#      $ docker build -t oracle/jdk:17 .
#
# This command is already scripted in build.sh so you can alternatively run
#		$ bash build.sh
#
# The builder image will be used to uncompress the tar.gz file with the Java Runtime.

FROM oraclelinux:8 as builder

LABEL maintainer="Aurelio Garcia-Ribeyro <[email protected]>"

# Since the files are compressed as tar.gz first dnf install tar. gzip is already in oraclelinux:8
RUN dnf install -y tar
	
# Default to UTF-8 file.encoding
ENV LANG en_US.UTF-8

# Environment variables for the builder image.
# Required to validate that you are using the correct file
ENV JAVA_URL=https://download.oracle.com/java/17/latest \
	JAVA_HOME=/usr/java/jdk-17
# (Host name parsing mismatch between Spring and java.net.URI for Oracle Java versions 11-20)

##
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN set -eux; \
	ARCH="$(uname -m)" && \
	# Java uses just x64 in the name of the tarball
    if [ "$ARCH" = "x86_64" ]; \
        then ARCH="x64"; \
    fi && \
    JAVA_PKG="$JAVA_URL"/jdk-17_linux-"${ARCH}"_bin.tar.gz ; \
	JAVA_SHA256="$(curl "$JAVA_PKG".sha256)" ; \ 
	curl --output /tmp/jdk.tgz "$JAVA_PKG" && \
	echo "$JAVA_SHA256" */tmp/jdk.tgz | sha256sum -c; \
	mkdir -p "$JAVA_HOME"; \
	tar --extract --file /tmp/jdk.tgz --directory "$JAVA_HOME" --strip-components 1
	
## Get a fresh version of OL8 for the final image	
FROM oraclelinux:8

# Default to UTF-8 file.encoding
ENV LANG en_US.UTF-8
ENV	JAVA_HOME=/usr/java/jdk-17
ENV	PATH $JAVA_HOME/bin:$PATH	

# Environment variable to indicate whether the server is running on Oracle Java or OpenJDK
ENV JAVA_TYPE=Oracle

# If you need the Java Version you can read it from the release file with 
# JAVA_VERSION=$(sed -n '/^JAVA_VERSION="/{s///;s/"//;p;}' "$JAVA_HOME"/release);

# Copy the uncompressed Java Runtime from the builder image
COPY --from=builder $JAVA_HOME $JAVA_HOME

WORKDIR /

# Copy project files to the container
COPY . .

RUN set -eux; \
# Ensure we get the latest OL 8 updates available at build time
	dnf -y update; \
# JDK assumes freetype is available	
	dnf install -y \
		freetype fontconfig \
	; \
	rm -rf /var/cache/dnf; \
	ln -sfT "$JAVA_HOME" /usr/java/default; \
	ln -sfT "$JAVA_HOME" /usr/java/latest; \
	for bin in "$JAVA_HOME/bin/"*; do \
		base="$(basename "$bin")"; \
		[ ! -e "/usr/bin/$base" ]; \
		alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \
	done;
	

RUN set -eux; dnf install -y maven

# Build web app with Maven
RUN mvn clean package

# TCP port that the vulnerable web app will listen on
ENV PORT=9999

CMD java -jar target/spring-cve-2024-22243-0.1.0.jar ${PORT}