This repository has been archived by the owner on Apr 24, 2023. It is now read-only.
The image has CVE #53
Comments
|
+ @patrick Stephens ***@***.***>
…On Mon, 23 May 2022 at 05:34, Igor Gajsin ***@***.***> wrote:
Hi. I've tried to run the security scanner trivy
<https://github.com/aquasecurity/trivy> against the fluent/fluent-bit
image and it found multiple CVEs including critical onese.
How to reproduce
1. Install the vulnerability scanner trivy like described here
https://aquasecurity.github.io/trivy/v0.17.0/installation/
2. Run it against an image like
trivy i --severity CRITICAL fluent/fluent-bit:1.8.11
2022-05-23T13:32:17.936+0200 INFO Detected OS: debian
2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities...
2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0
fluent/fluent-bit:1.8.11 (debian 10.11)
Total: 4 (CRITICAL: 4)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │
│ │ │ │ │ │ attributes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │
│ │ │ │ │ │ long pathnames │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│ │ │ │ │ │ a long pathname │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Expected behavior
No CVEs (at least with HIGH or CRITICAL severity) found
Actual behavior
There are CVEs.
—
Reply to this email directly, view it on GitHub
<#53>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Eduardo Silva
Calyptia Inc. <https://calyptia.com>
https://fluentbit.io
https://twitter.com/edsiper
|
|
That's an old version and the CVE is in the base image, the Google
distroless one. I would step up to the latest version to confirm and you
can also verify by running a scan on the base image.
1.8.12+ includes a step up to Debian 11 but also any new release will pick
up the latest base image at the time with CVE fixes.
If people need CVE fixes then they should be on latest: back porting of the
OSS to pick them up is not supported (a service from a commercial provider
though).
…On Thu, 26 May 2022, 23:08 Eduardo Silva, ***@***.***> wrote:
+ @patrick Stephens ***@***.***>
On Mon, 23 May 2022 at 05:34, Igor Gajsin ***@***.***>
wrote:
> Hi. I've tried to run the security scanner trivy
> <https://github.com/aquasecurity/trivy> against the fluent/fluent-bit
> image and it found multiple CVEs including critical onese.
> How to reproduce
>
> 1. Install the vulnerability scanner trivy like described here
> https://aquasecurity.github.io/trivy/v0.17.0/installation/
> 2. Run it against an image like
>
> trivy i --severity CRITICAL fluent/fluent-bit:1.8.11
> 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian
> 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities...
> 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0
>
> fluent/fluent-bit:1.8.11 (debian 10.11)
>
> Total: 4 (CRITICAL: 4)
>
> ┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
> │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
> ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
> │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │
> │ │ │ │ │ │ attributes │
> │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │
> ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
> │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │
> │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │
> ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
> │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │
> │ │ │ │ │ │ long pathnames │
> │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │
> │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
> │ │ │ │ │ │ a long pathname │
> │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │
> └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
>
> Expected behavior
>
> No CVEs (at least with HIGH or CRITICAL severity) found
> Actual behavior
>
> There are CVEs.
>
> —
> Reply to this email directly, view it on GitHub
> <#53>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ>
> .
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>
--
Eduardo Silva
Calyptia Inc. <https://calyptia.com>
https://fluentbit.io
https://twitter.com/edsiper
|
|
OK, the latest image looks much better, no critical CVEs: https://pastebin.com/PwyiFP6A Probably can close the issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi. I've tried to run the security scanner trivy against the
fluent/fluent-bitimage and it found multiple CVEs including critical onese.How to reproduce
Expected behavior
No CVEs (at least with HIGH or CRITICAL severity) found
Actual behavior
There are CVEs.
The text was updated successfully, but these errors were encountered: