Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Official fluentbit image has CVEs #300

Closed
igajsin opened this issue May 20, 2022 · 5 comments
Closed

Official fluentbit image has CVEs #300

igajsin opened this issue May 20, 2022 · 5 comments

Comments

@igajsin
Copy link

igajsin commented May 20, 2022

Describe the bug

Hi. I've made a security-check for official fluentbit images and it founds a lot of CVEs (including criticals). See the example

trivy i --severity CRITICAL kubesphere/fluent-bit:v1.8.11 
2022-05-20T17:17:03.235+0200    INFO    Detected OS: debian
2022-05-20T17:17:03.236+0200    INFO    Detecting Debian vulnerabilities...
2022-05-20T17:17:03.247+0200    INFO    Number of language-specific files: 1
2022-05-20T17:17:03.247+0200    INFO    Detecting gobinary vulnerabilities...

kubesphere/fluent-bit:v1.8.11 (debian 10.11)

Total: 6 (CRITICAL: 6)

┌───────────┬────────────────┬──────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                             │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-33574 │ CRITICAL │ 2.28-10           │                  │ glibc: mq_notify does not handle separately allocated thread │
│           │                │          │                   │                  │ attributes                                                   │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │                  │ glibc: Arbitrary read in wordexp()                           │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                │          │                   │                  │ long pathnames                                               │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219 │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                │          │                   │                  │ a long pathname                                              │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292  │ CRITICAL │ 1.1.1d-0+deb10u7  │ 1.1.1n-0+deb10u2 │ openssl: c_rehash script allows command injection            │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
├───────────┤                │          │                   │                  │                                                              │
│ openssl   │                │          │                   │                  │                                                              │
│           │                │          │                   │                  │                                                              │
└───────────┴────────────────┴──────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘

fluent-bit/bin/fluent-bit-watcher (gobinary)

Total: 0 (CRITICAL: 0)

I'm not sure it's a correct place to address the issue. If not, please tell me where I should create a bug-report.

To Reproduce

Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/ . Then run it as

trivy i --severity HIGH,CRITICAL kubesphere/fluent-bit:v1.9.3

Expected behavior

There are no CVEs, at least critical ones.

Your Environment

- Fluent Operator version: N/A
- Container Runtime: docker
- Operating system: N/A
- Kernel version: N/A

How did you install fluent operator?

helm

What happened?

My CI/CD pipeline is broken because security-check fails. But actually the question isn't about pipeline, but about CVEs I didn't expect to see here.

Your Error Log

N/A

Additional context

No response
@wenchajun
Copy link
Member

Thank you for your feedback, I would like to ask, is there an appeal bug in the fluent community images?

@benjaminhuo
Copy link
Member

@igajsin Would you test the official fluent bit image fluent/fluent-bit:1.8.11 to see if the official image has the same problem?

@igajsin
Copy link
Author

igajsin commented May 23, 2022

Yes, it has.

trivy i --severity CRITICAL fluent/fluent-bit:1.8.11
2022-05-23T11:49:28.334+0200    INFO    Detected OS: debian
2022-05-23T11:49:28.334+0200    INFO    Detecting Debian vulnerabilities...
2022-05-23T11:49:28.336+0200    INFO    Number of language-specific files: 0

fluent/fluent-bit:1.8.11 (debian 10.11)

Total: 6 (CRITICAL: 6)

┌───────────┬────────────────┬──────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                             │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-33574 │ CRITICAL │ 2.28-10           │                  │ glibc: mq_notify does not handle separately allocated thread │
│           │                │          │                   │                  │ attributes                                                   │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │                  │ glibc: Arbitrary read in wordexp()                           │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                │          │                   │                  │ long pathnames                                               │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219 │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                │          │                   │                  │ a long pathname                                              │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292  │ CRITICAL │ 1.1.1d-0+deb10u7  │ 1.1.1n-0+deb10u2 │ openssl: c_rehash script allows command injection            │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
├───────────┤                │          │                   │                  │                                                              │
│ openssl   │                │          │                   │                  │                                                              │
│           │                │          │                   │                  │                                                              │
└───────────┴────────────────┴──────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘

So, I'll readdress the issue in their repository

@benjaminhuo
Copy link
Member

@igajsin I think you can try the latest fluent/fluent-bit:1.9.3 release, and if still the same problem you can open a issue in fluent-bit repo

@igajsin
Copy link
Author

igajsin commented May 23, 2022

There is a new issue in fluent-bit repo: fluent/fluent-bit-docker-image#53 Thanks for your support.

@igajsin igajsin closed this as completed May 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@igajsin @benjaminhuo @wenchajun