search

confluentinc / cp-docker-images

[DEPRECATED] Docker images for Confluent Platform.
Apache License 2.0
1.14k stars 704 forks source link

Vulnerabilities for cp-enterprise-kafka:5.3.1 image #803

Open tokarev-artem opened 5 years ago

tokarev-artem commented 5 years ago

Hello, we used anchore utility for docker image scanning and faced with some security issues

List of high issues:


> CVE-2015-5652           Python-2.7.9                                     High              None                    https://nvd.nist.gov/vuln/detail/CVE-2015-5652                      
> CVE-2016-3720           jackson-2.6.7                                    High              None                    https://nvd.nist.gov/vuln/detail/CVE-2016-3720                      
> CVE-2016-5636           Python-2.7.9                                     High              None                    https://nvd.nist.gov/vuln/detail/CVE-2016-5636                      
> CVE-2017-1000158        Python-2.7.9                                     High              None                    https://nvd.nist.gov/vuln/detail/CVE-2017-1000158                   
> CVE-2019-13404          Python-2.7.9                                     High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-13404                     
> CVE-2019-14540          jackson-databind-2.9.9.3                         High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-14540                     
> CVE-2019-14540          jackson-databind-2.9.9.3                         High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-14540                     
> CVE-2019-14540          jackson-databind-2.9.9.3                         High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-14540                     
> CVE-2019-16335          jackson-databind-2.9.9.3                         High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-16335                     
> CVE-2019-16335          jackson-databind-2.9.9.3                         High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-16335                     
> CVE-2019-16335          jackson-databind-2.9.9.3                         High              None                    https://nvd.nist.gov/vuln/detail/CVE-2019-16335                     
> CVE-2019-5482           curl-7.38.0-4+deb8u15                            High              7.38.0-4+deb8u16        https://security-tracker.debian.org/tracker/CVE-2019-5482           
> CVE-2019-5482           libcurl3-7.38.0-4+deb8u15                        High              7.38.0-4+deb8u16        https://security-tracker.debian.org/tracker/CVE-2019-5482           
> CVE-2019-5482           libcurl3-gnutls-7.38.0-4+deb8u15                 High              7.38.0-4+deb8u16        https://security-tracker.debian.org/tracker/CVE-2019-5482

List of medium issues:

> CVE-2010-3492           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2010-3492                      
> CVE-2011-3389           libgnutls-deb0-28-3.3.30-0+deb8u1                Medium            None                    https://security-tracker.debian.org/tracker/CVE-2011-3389           
> CVE-2011-3389           libgnutls-openssl27-3.3.30-0+deb8u1              Medium            None                    https://security-tracker.debian.org/tracker/CVE-2011-3389           
> CVE-2014-4616           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2014-4616                      
> CVE-2016-0772           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2016-0772                      
> CVE-2016-5699           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2016-5699                      
> CVE-2016-7051           jackson-2.6.7                                    Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2016-7051                      
> CVE-2017-17522          Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2017-17522                     
> CVE-2017-18207          Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2017-18207                     
> CVE-2017-2616           libblkid1-2.25.2-6                               Medium            None                    https://security-tracker.debian.org/tracker/CVE-2017-2616           
> CVE-2017-2616           libmount1-2.25.2-6                               Medium            None                    https://security-tracker.debian.org/tracker/CVE-2017-2616           
> CVE-2017-2616           libsmartcols1-2.25.2-6                           Medium            None                    https://security-tracker.debian.org/tracker/CVE-2017-2616           
> CVE-2017-2616           libuuid1-2.25.2-6                                Medium            None                    https://security-tracker.debian.org/tracker/CVE-2017-2616           
> CVE-2017-2616           mount-2.25.2-6                                   Medium            None                    https://security-tracker.debian.org/tracker/CVE-2017-2616           
> CVE-2017-2616           util-linux-2.25.2-6                              Medium            None                    https://security-tracker.debian.org/tracker/CVE-2017-2616           
> CVE-2018-1000030        Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-1000030                   
> CVE-2018-10237          guava-11.0.2                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-10237                     
> CVE-2018-10237          guava-18.0                                       Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-10237                     
> CVE-2018-10237          guava-20.0                                       Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-10237                     
> CVE-2018-10237          guava-20.0                                       Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-10237                     
> CVE-2018-1060           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-1060                      
> CVE-2018-1061           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-1061                      
> CVE-2018-11771          commons-compress-1.8.1                           Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-11771                     
> CVE-2018-14647          Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-14647                     
> CVE-2018-18074          requests-2.11.1                                  Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-18074                     
> CVE-2018-20852          Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2018-20852                     
> CVE-2019-13627          libgcrypt20-1.6.3-2+deb8u5                       Medium            1.6.3-2+deb8u6          https://security-tracker.debian.org/tracker/CVE-2019-13627          
> CVE-2019-1563           libssl1.0.0-1.0.1t-1+deb8u11                     Medium            1.0.1t-1+deb8u12        https://security-tracker.debian.org/tracker/CVE-2019-1563           
> CVE-2019-1563           openssl-1.0.1t-1+deb8u11                         Medium            1.0.1t-1+deb8u12        https://security-tracker.debian.org/tracker/CVE-2019-1563           
> CVE-2019-15903          libexpat1-2.1.0-6+deb8u5                         Medium            2.1.0-6+deb8u6          https://security-tracker.debian.org/tracker/CVE-2019-15903          
> CVE-2019-16056          Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2019-16056                     
> CVE-2019-16056          libpython2.7-minimal-2.7.9-2+deb8u4              Medium            2.7.9-2+deb8u5          https://security-tracker.debian.org/tracker/CVE-2019-16056          
> CVE-2019-16056          libpython2.7-stdlib-2.7.9-2+deb8u4               Medium            2.7.9-2+deb8u5          https://security-tracker.debian.org/tracker/CVE-2019-16056          
> CVE-2019-16056          python2.7-2.7.9-2+deb8u4                         Medium            2.7.9-2+deb8u5          https://security-tracker.debian.org/tracker/CVE-2019-16056          
> CVE-2019-16056          python2.7-minimal-2.7.9-2+deb8u4                 Medium            2.7.9-2+deb8u5          https://security-tracker.debian.org/tracker/CVE-2019-16056          
> CVE-2019-5094           e2fslibs-1.42.12-2+b1                            Medium            1.42.12-2+deb8u1        https://security-tracker.debian.org/tracker/CVE-2019-5094           
> CVE-2019-5094           e2fsprogs-1.42.12-2+b1                           Medium            1.42.12-2+deb8u1        https://security-tracker.debian.org/tracker/CVE-2019-5094           
> CVE-2019-5094           libcomerr2-1.42.12-2+b1                          Medium            1.42.12-2+deb8u1        https://security-tracker.debian.org/tracker/CVE-2019-5094           
> CVE-2019-5094           libss2-1.42.12-2+b1                              Medium            1.42.12-2+deb8u1        https://security-tracker.debian.org/tracker/CVE-2019-5094           
> CVE-2019-9636           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2019-9636                      
> CVE-2019-9740           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2019-9740                      
> CVE-2019-9947           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2019-9947                      
> CVE-2019-9948           Python-2.7.9                                     Medium            None                    https://nvd.nist.gov/vuln/detail/CVE-2019-9948

and list of low level issues


> CVE-2019-1547           libssl1.0.0-1.0.1t-1+deb8u11                     Low               1.0.1t-1+deb8u12        https://security-tracker.debian.org/tracker/CVE-2019-1547           
> CVE-2019-1547           openssl-1.0.1t-1+deb8u11                         Low               1.0.1t-1+deb8u12        https://security-tracker.debian.org/tracker/CVE-2019-1547

Could you update docker file with these fixes ? Thanks

janjwerner-confluent commented 2 years ago

Thank you for raising this issue. Confluent Platform updates (including image upgrades) are made available on a quarterly cadence. The issues have been addressed at this point in time.