Hi, I'd like to deploy cortex at my organisation, however our security department is enforcing a zero-log4shell policy.
We use syft and grype in CI to check images for these blacklisted vulnerabilities.
Unfortunately your cortex image latest tag 3.1.4 has several hits.
Steps to Reproduce
# I'm showing here only the lines that match our blacklist
GRYPE_CVE_BLACKLIST_REGEX="CVE-2021-45105|GHSA-p6xc-xr62-6r2g|CVE-2021-45046|GHSA-7rjr-3q55-vv33|CVE-2021-44832|GHSA-8489-44mv-ggj8|CVE-2021-44228|GHSA-jfh8-c2jp-5v3q|CVE-2021-42550|GHSA-668q-qrv7-99fm|CVE-2021-4104|GHSA-fp5r-v3w9-4333|CVE-2020-9488|CVE-2019-17571|CVE-2017-5645"
grype thehiveproject/cortex:3.1.4 | grep -E ${GRYPE_CVE_BLACKLIST_REGEX}
log4j-api 2.17.0 2.17.1 GHSA-8489-44mv-ggj8 Medium
log4j-api 2.17.0 CVE-2021-44832 Medium
log4j-to-slf4j 2.17.0 CVE-2021-44832 Medium
logback-core 1.2.3 GHSA-668q-qrv7-99fm Medium
org.apache.logging.log4j.log4j-api 2.17.0 CVE-2021-44832 Medium
org.apache.logging.log4j.log4j-to-slf4j 2.17.0 CVE-2021-44832 Medium
Possible Solutions
Update all the log4j dependencies from 2.17.0 to 2.17.1
Update logback-core to 1.2.10
If you can't run these updates, can you advise on the importance of these libraries? If they are not used directly I could also just remove them manually in a custom dockerfile as a temporary solution.
Complementary information
This is the full sbom from syft to see where the dependencies are in the image:
syft.json.zip
Request Type
Bug
Problem Description
Hi, I'd like to deploy cortex at my organisation, however our security department is enforcing a zero-log4shell policy. We use
syft
andgrype
in CI to check images for these blacklisted vulnerabilities. Unfortunately your cortex image latest tag3.1.4
has several hits.Steps to Reproduce
Possible Solutions
log4j
dependencies from 2.17.0 to 2.17.1logback-core
to 1.2.10If you can't run these updates, can you advise on the importance of these libraries? If they are not used directly I could also just remove them manually in a custom dockerfile as a temporary solution.
Complementary information
This is the full sbom from syft to see where the dependencies are in the image: syft.json.zip