Security Vulnerabilities

[squarerootwik]

Name and Version

bitnami/fluent-bit: 1.9.9

What steps will reproduce the bug?

Vulnerabilities scanned by PRISMA tool

What is the expected behavior?

No response

What do you see instead?

Our Security Scanning tools have identified CVEs in the following components listed. Can you please review this and provide an update on the following:

Documentation that explains the mitigation strategy that we can apply to reduce the severity level
Details on when is this going to be fixed with the expected version number

Component	Version	Vulnerability	Severity
ncurses	6.2+20201114-2	CVE-2022-29458	low
openssl	1.1.1n-0+deb11u3	CVE-2022-2097	low
e2fsprogs	1.46.2-2	CVE-2022-1304	low
libsepol	3.1-1	CVE-2021-36087	low
libsepol	3.1-1	CVE-2021-36086	low
libsepol	3.1-1	CVE-2021-36085	low
libsepol	3.1-1	CVE-2021-36084	low
libgcrypt20	1.8.7-6	CVE-2021-33560	low
db5.3	5.3.28+dfsg1-0.8	CVE-2019-8457	low
perl	5.32.1-4+deb11u2	CVE-2020-16156	low
coreutils	8.32-4	CVE-2016-2781	low

[carrodher]

Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.

$ trivy image --ignore-unfixed bitnami/fluent-bit:1.9.9
2022-10-03T16:56:29.453Z	INFO	Vulnerability scanning is enabled
2022-10-03T16:56:29.453Z	INFO	Secret scanning is enabled
2022-10-03T16:56:29.453Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-03T16:56:29.453Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-03T16:56:29.670Z	INFO	Detected OS: debian
2022-10-03T16:56:29.670Z	INFO	Detecting Debian vulnerabilities...
2022-10-03T16:56:29.682Z	INFO	Number of language-specific files: 0

bitnami/fluent-bit:1.9.9 (debian 11.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.

[carrodher]

Please note this is the same answer provided in other tickets you have opened in the last month:

• Security Vulnerabilities #5849
• Security Vulnerabilities #5850
• Security Vulnerabilities #2756

Please, report only any issue that is a real issue and not something not fixable by the distro or the application itself.