Vulnerable openjdk-16-jdk Ubuntu package without patch #11
Description
Jobeinabox relies on Ubuntu 20.04's openjdk-16-jdk package, which is vulnerable to multiple CVEs as described at https://openjdk.java.net/groups/vulnerability/advisories/2021-07-20 -CVE-2021-2388, CVE-2021-2369, and CVE-2021-2341. Ubuntu does not seem to be patching these CVEs, even though they are from July. Specifically the openjdk-16-jdk release utilized in jobeinabox does not appear in their security tracker for any of the referenced CVEs. (See https://ubuntu.com/security/cve-2021-2388, https://ubuntu.com/security/cve-2021-2369, and https://ubuntu.com/security/cve-2021-2341 .) These Medium priority security issues seem to be never addressed in a timely manner. These CVEs do show up in security scanning software suites quite frequently, and a freshly built container today contains these vulnerabilities.
I've made a pull request that addresses the issue by utilizing the Docker openjdk:16-jdk image as a layer instead of the built-in Ubuntu package. This is better maintained for security, and bumps the version to 16.0.2 which addresses these vulnerabilities. The Dockerfile now utilizes a multi-layer approach for building the image. See #10
I did basic testing of the system and it seems to be working correctly with this change in my instance, but please perform some additional testing before merging this.