log4j related vulnerabilities in docker image

[falcorocks]

Request Type

Bug

Problem Description

Hi, I'd like to deploy cortex at my organisation, however our security department is enforcing a zero-log4shell policy. We use syft and grype in CI to check images for these blacklisted vulnerabilities. Unfortunately your cortex image latest tag 3.1.4 has several hits.

Steps to Reproduce

# I'm showing here only the lines that match our blacklist
GRYPE_CVE_BLACKLIST_REGEX="CVE-2021-45105|GHSA-p6xc-xr62-6r2g|CVE-2021-45046|GHSA-7rjr-3q55-vv33|CVE-2021-44832|GHSA-8489-44mv-ggj8|CVE-2021-44228|GHSA-jfh8-c2jp-5v3q|CVE-2021-42550|GHSA-668q-qrv7-99fm|CVE-2021-4104|GHSA-fp5r-v3w9-4333|CVE-2020-9488|CVE-2019-17571|CVE-2017-5645"
grype thehiveproject/cortex:3.1.4 | grep -E ${GRYPE_CVE_BLACKLIST_REGEX}
log4j-api                                2.17.0                 2.17.1            GHSA-8489-44mv-ggj8  Medium      
log4j-api                                2.17.0                                   CVE-2021-44832       Medium      
log4j-to-slf4j                           2.17.0                                   CVE-2021-44832       Medium      
logback-core                             1.2.3                                    GHSA-668q-qrv7-99fm  Medium      
org.apache.logging.log4j.log4j-api       2.17.0                                   CVE-2021-44832       Medium      
org.apache.logging.log4j.log4j-to-slf4j  2.17.0                                   CVE-2021-44832       Medium 

Possible Solutions

• Update all the log4j dependencies from 2.17.0 to 2.17.1
• Update logback-core to 1.2.10

If you can't run these updates, can you advise on the importance of these libraries? If they are not used directly I could also just remove them manually in a custom dockerfile as a temporary solution.

Complementary information

This is the full sbom from syft to see where the dependencies are in the image: syft.json.zip