fluent
The image has CVE
Hi. I've tried to run the security scanner trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese.
How to reproduce
- Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
- Run it against an image like
trivy i --severity CRITICAL fluent/fluent-bit:1.8.11
2022-05-23T13:32:17.936+0200 INFO Detected OS: debian
2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities...
2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0
fluent/fluent-bit:1.8.11 (debian 10.11)
Total: 4 (CRITICAL: 4)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │
│ │ │ │ │ │ attributes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │
│ │ │ │ │ │ long pathnames │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│ │ │ │ │ │ a long pathname │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Expected behavior
No CVEs (at least with HIGH or CRITICAL severity) found
Actual behavior
There are CVEs.
- @Patrick Stephens @.***>
On Mon, 23 May 2022 at 05:34, Igor Gajsin @.***> wrote:
Hi. I've tried to run the security scanner trivy https://github.com/aquasecurity/trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese. How to reproduce
- Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
- Run it against an image like
trivy i --severity CRITICAL fluent/fluent-bit:1.8.11 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities... 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0
fluent/fluent-bit:1.8.11 (debian 10.11)
Total: 4 (CRITICAL: 4)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ │ │ │ │ │ │ attributes │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ │ │ │ │ │ │ long pathnames │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ │ │ │ │ │ │ a long pathname │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Expected behavior
No CVEs (at least with HIGH or CRITICAL severity) found Actual behavior
There are CVEs.
— Reply to this email directly, view it on GitHub https://github.com/fluent/fluent-bit-docker-image/issues/53, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Eduardo Silva Calyptia Inc. https://calyptia.com https://fluentbit.io https://twitter.com/edsiper
That's an old version and the CVE is in the base image, the Google distroless one. I would step up to the latest version to confirm and you can also verify by running a scan on the base image.
1.8.12+ includes a step up to Debian 11 but also any new release will pick up the latest base image at the time with CVE fixes.
If people need CVE fixes then they should be on latest: back porting of the OSS to pick them up is not supported (a service from a commercial provider though).
On Thu, 26 May 2022, 23:08 Eduardo Silva, @.***> wrote:
- @Patrick Stephens @.***>
On Mon, 23 May 2022 at 05:34, Igor Gajsin @.***> wrote:
Hi. I've tried to run the security scanner trivy https://github.com/aquasecurity/trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese. How to reproduce
- Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
- Run it against an image like
trivy i --severity CRITICAL fluent/fluent-bit:1.8.11 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities... 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0
fluent/fluent-bit:1.8.11 (debian 10.11)
Total: 4 (CRITICAL: 4)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ │ │ │ │ │ │ attributes │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ │ │ │ │ │ │ long pathnames │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ │ │ │ │ │ │ a long pathname │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Expected behavior
No CVEs (at least with HIGH or CRITICAL severity) found Actual behavior
There are CVEs.
— Reply to this email directly, view it on GitHub https://github.com/fluent/fluent-bit-docker-image/issues/53, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Eduardo Silva Calyptia Inc. https://calyptia.com https://fluentbit.io https://twitter.com/edsiper
OK, the latest image looks much better, no critical CVEs: https://pastebin.com/PwyiFP6A
Probably can close the issue.