Docker 2.1.3 Release with MarkLogic 11.3.1 and 10.0-11.1

This release includes the following updates

• Fix EKS Compatibility Issue: Resolved a startup inconsistency between root and rootless container images by setting OVERWRITE_ML_CONF=true and MARKLOGIC_EC2_HOST=0, ensuring consistent behavior across environments.
• Update Copyright Notices: Refreshed copyright strings to reflect the latest legal and organizational standards.
• Add libnsl Compatibility Workaround: Implemented a workaround to address compatibility issues with the libnsl package, enabling successful builds of UBI9-based images using the current package version.

Known Issues and Limitations

1. The root image must be run in privileged mode. If the image isn't run as privileged, the calls that use sudo in the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions. To run in non-privileged mode, use one of the “rootless” image options.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of RedHat UBI images have known security vulnerabilities.
   • curl (CVE-2016-5420, CVE-2016-5419, CVE-2016-5421, CVE-2017-3604, CVE-2016-3418, CVE-2017-3605, CVE-2016-0694, CVE-2017-3607, CVE-2017-3608, CVE-2017-3606, CVE-2016-0689, CVE-2017-3609, CVE-2016-0692, CVE-2016-0682, CVE-2016-5420, CVE-2016-5419, CVE-2016-5421)
   • elfutils (CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615)
   • gawk (CVE-2017-3616)
   • gdb (CVE-2017-3617)
   • glibc (CVE-2016-5420, CVE-2016-5421, CVE-2016-5419, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421)
   • libdb-utils (CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615
     CVE-2017-3616, CVE-2017-3617)
   • nspr (CVE-2016-1951)

These packages are included in the RedHat UBI base images but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

6. As part of the hardening process, the following packages are removed from the image: vim-minimal, cups-client, cups-libs, tar, python3-pip-wheel, platform-python, python3-libs, platform-python-setuptools, avahi-libs, binutils, expat, libarchive, python3, python3-libs, python-unversioned-command. These packages are not required for the operation of MarkLogic Server and are removed to reduce the attack surface of the image. If you require any of these packages, you can install them in your own Dockerfile.

7. The scoring of the hardening process is 96.67% that because authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced.

It is a medium severity and not applicable in container environment there is not authentication required when login into a container.
8. The cryptographic modules of RHEL 9 are not yet certified for the FIPS 140-3 requirements.