fluent-bit-docker-image icon indicating copy to clipboard operation
fluent-bit-docker-image copied to clipboard
verified publisher icon fluent

CVEs in 1.9.3

Open mpcarl opened this issue 3 years ago • 1 comments

CVE-2022-29155 and CVE-2022-1292 are being reported as CVEs in the 1.9.3 release.

trivy i --severity CRITICAL kubesphere/fluent-bit:v1.9.3
2022-05-25T08:55:05.511+0200	INFO	Detected OS: debian
2022-05-25T08:55:05.511+0200	INFO	Detecting Debian vulnerabilities...
2022-05-25T08:55:05.532+0200	INFO	Number of language-specific files: 1
2022-05-25T08:55:05.532+0200	INFO	Detecting gobinary vulnerabilities...

kubesphere/fluent-bit:v1.9.3 (debian 11.3)

Total: 3 (CRITICAL: 3)

┌───────────────┬────────────────┬──────────┬───────────────────┬───────────────────────┬───────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Installed Version │     Fixed Version     │                       Title                       │
├───────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼───────────────────────────────────────────────────┤
│ libldap-2.4-2 │ CVE-2022-29155 │ CRITICAL │ 2.4.57+dfsg-3     │ 2.4.57+dfsg-3+deb11u1 │ openldap: OpenLDAP SQL injection                  │
│               │                │          │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-29155        │
├───────────────┼────────────────┤          ├───────────────────┼───────────────────────┼───────────────────────────────────────────────────┤
│ libssl1.1     │ CVE-2022-1292  │          │ 1.1.1n-0+deb11u1  │ 1.1.1n-0+deb11u2      │ openssl: c_rehash script allows command injection │
│               │                │          │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-1292         │
├───────────────┤                │          │                   │                       │                                                   │
│ openssl       │                │          │                   │                       │                                                   │
│               │                │          │                   │                       │                                                   │
└───────────────┴────────────────┴──────────┴───────────────────┴───────────────────────┴───────────────────────────────────────────────────┘

fluent-bit/bin/fluent-bit-watcher (gobinary)

Total: 0 (CRITICAL: 0)

mpcarl avatar May 25 '22 06:05 mpcarl

I was able to rebuild the image manually using the fluent-bit repo with no CVE's on MacOS to produce the MultiArchitecture image by following the Dockerfiles README.

  1. Install Docker Desktop and QEMU
# Docker Desktop via Web
brew install qemu
  1. Pull down the repo
git checkout https://github.com/fluent/fluent-bit.git
cd dockerfiles
  1. Run the docker buildx command
docker buildx build\
  --platform "linux/amd64,linux/arm64,linux/arm/v7"\
  -f ./dockerfiles/Dockerfile.multiarch\
  --build-arg FLB_MAJOR=1\
  --build-arg FLB_MINOR=9\
  --build-arg FLB_PATCH=3\
  --build-arg FLB_VERSION=1.9.3\
  --build-arg FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v1.9.3.tar.gz\
  --push\
  -t local-registry-app.REDACTED:1234/fluent/fluent-bit:1.9.3-vuln.1\
  ./dockerfiles/
  1. Test that the new image works
❯ docker run -it local-registry-app.REDACTED:1234/fluent/fluent-bit:1.9.3-vuln.1 -i cpu -o stdout -f 1 
Fluent Bit v1.9.3
* Copyright (C) 2015-2022 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

[2022/05/31 21:37:16] [ info] [fluent bit] version=1.9.3, commit=, pid=1
[2022/05/31 21:37:16] [ info] [storage] version=1.2.0, type=memory-only, sync=normal, checksum=disabled, max_chunks_up=128
[2022/05/31 21:37:16] [ info] [cmetrics] version=0.3.1
[2022/05/31 21:37:16] [ info] [sp] stream processor started
[2022/05/31 21:37:16] [ info] [output:stdout:stdout.0] worker #0 started
[0] cpu.0: [1654033037.481061337, {"cpu_p"=>18.200000, "user_p"=>10.400000, "system_p"=>7.800000, "cpu0.p_cpu"=>21.000000, "cpu0.p_user"=>12.000000, "cpu0.p_system"=>9.000000, "cpu1.p_cpu"=>6.000000, "cpu1.p_user"=>5.000000, "cpu1.p_system"=>1.000000, "cpu2.p_cpu"=>23.000000, "cpu2.p_user"=>13.000000, "cpu2.p_system"=>10.000000, "cpu3.p_cpu"=>17.000000, "cpu3.p_user"=>9.000000, "cpu3.p_system"=>8.000000, "cpu4.p_cpu"=>25.000000, "cpu4.p_user"=>13.000000, "cpu4.p_system"=>12.000000}]
  1. Validate with Trivy
trivy i --ignore-unfixed --severity CRITICAL local-registry-app.REDACTED:1234/fluent/fluent-bit:1.9.3-vuln.1
2022-05-31T23:05:05.832+0100    INFO    Detected OS: debian
2022-05-31T23:05:05.832+0100    INFO    Detecting Debian vulnerabilities...
2022-05-31T23:05:05.877+0100    INFO    Number of language-specific files: 0

local-registry-app.REDACTED:1234/fluent/fluent-bit:1.9.3-vuln.1 (debian 11.3)
==============================================================================
Total: 0 (CRITICAL: 0)

meehanman avatar May 31 '22 22:05 meehanman