search

confluentinc / common-docker

Confluent Commons with support for building and testing Docker images.
Apache License 2.0
4 stars 69 forks source link

Vulnerability CVE-2022-40897 in all images #270

Closed bydich closed 9 months ago

bydich commented 1 year ago

I'm using version 6.0.11 of the image in my project. During testing the "trivy" utility discovered a vulnerability.

$ trivy image confluentinc/cp-kafka:6.0.11
2023-02-06T18:25:22.718+0300    INFO    Vulnerability scanning is enabled
2023-02-06T18:25:22.719+0300    INFO    Secret scanning is enabled
2023-02-06T18:25:22.719+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-06T18:25:22.719+0300    INFO    Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-06T18:25:30.121+0300    INFO    Detected OS: redhat
2023-02-06T18:25:30.121+0300    INFO    Detecting RHEL/CentOS vulnerabilities...
2023-02-06T18:25:30.149+0300    INFO    Number of language-specific files: 2
2023-02-06T18:25:30.149+0300    INFO    Detecting jar vulnerabilities...
2023-02-06T18:25:30.153+0300    INFO    Detecting python-pkg vulnerabilities...

confluentinc/cp-kafka:6.0.11 (redhat 8.7)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                    │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ libksba │ CVE-2022-47629 │ HIGH     │ 1.3.5-8.el8_6     │               │ libksba: integer overflow to code execution │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-47629  │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘
2023-02-06T18:25:30.219+0300    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                         Title                         │
├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH     │ 50.3.2            │ 65.5.1        │ pypa-setuptools: Regular Expression Denial of Service │
│                       │                │          │                   │               │ (ReDoS) in package_index.py                           │
│                       │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-40897            │
└───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

I need to update python setuptools with the new latest version (67.*). And I want to see my changes in the new image 6.0.12 for fixing the vulnerability. I have prepared changes. Which branch can I pull request it?

janjwerner-confluent commented 1 year ago

@bydich Thank you for raising this issue and preparing the PR. We expect to resolve those issues in the upcoming quarterly release.

yeikel commented 9 months ago

Did this get resolved?

janjwerner-confluent commented 9 months ago

Yes, both those issues have been addressed. Please note that 6.1.x branch is out of support scope. https://docs.confluent.io/platform/current/installation/versions-interoperability.html