Fixing vulnerabilities in the base image.

Alpine Zulu8 Docker Image Updates

Summary

Updates Application Insights Agent version and improves Dockerfile structure for better maintainability, while addressing security vulnerabilities.

Changes

• Application Insights Agent

  • Updated version from 3.5.2 to 3.6.2
  • Resolves security vulnerabilities:
    • ✅ Fixed CVE-2024-35255 (MEDIUM) in azure-identity and msal4j
      • azure-identity upgraded from 1.12.0 to ≥1.12.2
      • msal4j upgraded from 1.15.0 to ≥1.15.1
    • ⚠️ Note: CVE-2024-47535 (MEDIUM) in netty-common remains
      • Version improved from 4.1.109.Final to 4.1.114.Final
      • Full resolution requires netty-common 4.1.115

• Dockerfile Structure

  • Split ZULU_DIR ARG into component parts for better version management:

    ARG ZULU_VERSION=8.70.0.23
    ARG ZULU_JRE_VERSION=8.0.372
    ARG ARCH=linux_musl_x64

  • Moved environment variables to explicit ENV declarations
  • Improved command formatting for better readability

Security Impact

• Reduced total vulnerabilities from 3 MEDIUM to 1 MEDIUM
• Eliminated privilege elevation vulnerability in Azure Identity components
• Remaining vulnerability (netty DoS) only affects Windows deployments

Testing Completed

• Successful Docker builds
• JRE functionality verification
• Application Insights Agent 3.6.2 installation
• Multi-architecture compatibility (amd64/arm64)
• Security scan verification

Related Links

• Application Insights Java Agent 3.6.2 Release
• CVE-2024-35255
• CVE-2024-47535