Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities #8765

Closed
squarerootwik opened this issue Oct 3, 2022 · 2 comments
Closed

Security Vulnerabilities #8765

squarerootwik opened this issue Oct 3, 2022 · 2 comments
Assignees
@rafariossaa
Labels
fluent-bit solved tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@squarerootwik
Copy link

squarerootwik commented Oct 3, 2022
edited
Loading

Name and Version

bitnami/fluent-bit: 1.9.9

What steps will reproduce the bug?

Vulnerabilities scanned by PRISMA tool

What is the expected behavior?

No response

What do you see instead?

Our Security Scanning tools have identified CVEs in the following components listed. Can you please review this and provide an update on the following:

Documentation that explains the mitigation strategy that we can apply to reduce the severity level
Details on when is this going to be fixed with the expected version number

Component Version Vulnerability Severity
ncurses 6.2+20201114-2 CVE-2022-29458 low
openssl 1.1.1n-0+deb11u3 CVE-2022-2097 low
e2fsprogs 1.46.2-2 CVE-2022-1304 low
libsepol 3.1-1 CVE-2021-36087 low
libsepol 3.1-1 CVE-2021-36086 low
libsepol 3.1-1 CVE-2021-36085 low
libsepol 3.1-1 CVE-2021-36084 low
libgcrypt20 1.8.7-6 CVE-2021-33560 low
db5.3 5.3.28+dfsg1-0.8 CVE-2019-8457 low
perl 5.32.1-4+deb11u2 CVE-2020-16156 low
coreutils 8.32-4 CVE-2016-2781 low
@squarerootwik squarerootwik added the tech-issues The user has a technical issue about an application label Oct 3, 2022
@github-actions github-actions bot added the triage Triage is needed label Oct 3, 2022
@carrodher
Copy link
Member

Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.

$ trivy image --ignore-unfixed bitnami/fluent-bit:1.9.9
2022-10-03T16:56:29.453Z	INFO	Vulnerability scanning is enabled
2022-10-03T16:56:29.453Z	INFO	Secret scanning is enabled
2022-10-03T16:56:29.453Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-03T16:56:29.453Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-03T16:56:29.670Z	INFO	Detected OS: debian
2022-10-03T16:56:29.670Z	INFO	Detecting Debian vulnerabilities...
2022-10-03T16:56:29.682Z	INFO	Number of language-specific files: 0

bitnami/fluent-bit:1.9.9 (debian 11.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.

@carrodher
Copy link
Member

Please note this is the same answer provided in other tickets you have opened in the last month:

Please, report only any issue that is a real issue and not something not fixable by the distro or the application itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rafariossaa rafariossaa

Labels
fluent-bit solved tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rafariossaa @carrodher @squarerootwik