Open reneleonhardt opened 3 years ago
Rene, Thank you for your suggestion. Confluent’s policy is to release patch release versions along with base OS upgrades on a quarterly basis. We will look into improving this upgrade cadence at a future point in time.
@janjwerner-confluent Has there been any change on this policy? We're seeing similar vulnerabilities in glibc and others:
trivy image --scanners=vuln --vuln-type=os \
--severity=HIGH,CRITICAL --ignore-unfixed \
confluentinc/cp-kafka-connect:7.6.1
2024-05-28T14:10:28.096-0500 INFO Vulnerability scanning is enabled
2024-05-28T14:10:28.994-0500 INFO Detected OS: redhat
2024-05-28T14:10:28.994-0500 INFO Detecting RHEL/CentOS vulnerabilities...
confluentinc/cp-kafka-connect:7.6.1 (redhat 8.9)
Total: 10 (HIGH: 10, CRITICAL: 0)
┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc │ CVE-2024-2961 │ HIGH │ fixed │ 2.28-236.el8_9.12 │ 2.28-251.el8_10.1 │ glibc: Out of bounds write in iconv may lead to remote │
│ │ │ │ │ │ │ code... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2961 │
│ ├────────────────┤ │ │ ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-33599 │ │ │ │ 2.28-251.el8_10.2 │ glibc: stack-based buffer overflow in netgroup cache │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-33599 │
├────────────────────────┼────────────────┤ │ │ ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc-common │ CVE-2024-2961 │ │ │ │ 2.28-251.el8_10.1 │ glibc: Out of bounds write in iconv may lead to remote │
│ │ │ │ │ │ │ code... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2961 │
│ ├────────────────┤ │ │ ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-33599 │ │ │ │ 2.28-251.el8_10.2 │ glibc: stack-based buffer overflow in netgroup cache │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-33599 │
├────────────────────────┼────────────────┤ │ │ ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc-minimal-langpack │ CVE-2024-2961 │ │ │ │ 2.28-251.el8_10.1 │ glibc: Out of bounds write in iconv may lead to remote │
│ │ │ │ │ │ │ code... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2961 │
│ ├────────────────┤ │ │ ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-33599 │ │ │ │ 2.28-251.el8_10.2 │ glibc: stack-based buffer overflow in netgroup cache │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-33599 │
├────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ platform-python │ CVE-2023-6597 │ │ │ 3.6.8-56.el8_9.3 │ 3.6.8-62.el8_10 │ python: Path traversal on tempfile.TemporaryDirectory │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6597 │
├────────────────────────┤ │ │ │ │ │ │
│ python3-libs │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ python3-unbound │ CVE-2024-1488 │ │ │ 1.16.2-5.el8_9.2 │ 1.16.2-5.el8_9.6 │ unbound: unrestricted reconfiguration enabled to anyone that │
│ │ │ │ │ │ │ may lead to local privilege... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-1488 │
├────────────────────────┤ │ │ │ │ │ │
│ unbound-libs │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────┴──────────────────────────────────────────────────────────────┘
@tpitale thank you for reaching out. We are still on the quarterly cadence. New images have been released addressing the issues listed above, unfortunately, the root cause is still there.
cp-kafka:6.2.0 is 12 days young but already shows many missing system updates. It would be good to provide updated images with the same tag more regularly, only for updating dependencies without waiting for your new patch release with functional changes to finish.
Floating tags for major and minor releases would be convenient for users to follow the latest stable versions, they would correlate to Confluent Platform versions like 6.1.x and 6.2.x:
Suggestions to improve Dockerfile: https://github.com/goodwithtech/dockle
You're using Zulu OpenJDK 11, if possible consider upgrading to the latest stable Jetty 11.0.5 or 10.0.5. Security findings: https://github.com/aquasecurity/trivy
You can integrate the GitHub Action into your workflows if you want: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/github-actions.md