lukeplausin
commented
3 years ago More on this topic - we have a requirement to scan all images in our docker registry for vulnerabilities. A copy of logstash (7.10.2-SNAPSHOT) which we uploaded to our registry had 630 vulnerabilities, of which 16 were high and 5 critical. All of the high and critical vulnerabilities appear to have fixes available.
Is there any chance that we could get some security updates?
CVE-2013-0269
Critical
json
1.8.6-java
~> 1.5.5, ~> 1.6.8, >= 1.7.7
CVE-2020-14001
Critical
kramdown
1.14.0
2.3.0
CVE-2016-4658
Critical
nokogiri
1.10.10-java
>= 1.7.1
CVE-2019-11068
Critical
nokogiri
1.10.10-java
>= 1.10.3
CVE-2019-5477
Critical
nokogiri
1.10.10-java
>= 1.10.4
CVE-2015-8385
High
glib2
2.56.1-8.el7
CVE-2016-3191
High
glib2
2.56.1-8.el7
CVE-2019-5827
High
sqlite
3.7.17-8.el7_7.1
CVE-2018-1000201
High
ffi
1.13.1-java
>= 1.9.24
CVE-2020-10663
High
json
1.8.6-java
>= 2.3.0
CVE-2015-5312
High
nokogiri
1.10.10-java
>= 1.6.7.1
CVE-2015-8806
High
nokogiri
1.10.10-java
>= 1.6.8
CVE-2017-15412
High
nokogiri
1.10.10-java
>= 1.8.2
CVE-2017-16932
High
nokogiri
1.10.10-java
>= 1.8.1
CVE-2017-5029
High
nokogiri
1.10.10-java
>= 1.7.2
CVE-2017-9050
High
nokogiri
1.10.10-java
>= 1.8.1
CVE-2018-14404
High
nokogiri
1.10.10-java
>= 1.8.5
CVE-2019-13117
High
nokogiri
1.10.10-java
>= 1.10.5
CVE-2020-7595
High
nokogiri
1.10.10-java
>= 1.10.8
CVE-2019-16770
High
puma
4.3.7-java
~> 3.12.2, >= 4.3.1
CVE-2020-11076
High
puma
4.3.7-java
~> 3.12.5, >= 4.3.4
The current stable logstash image (docker.elastic.co/logstash/logstash:6.5.3) is vulnerable to CVE-2011-4838.
The base image (centos:7) didn't have this vulnerability.
(CVE-2011-4838 - https://nvd.nist.gov/vuln/detail/CVE-2011-4838) HIGH Vulnerability found in non-os package type (java) - /usr/share/logstash/logstash-core/lib/jars/jruby-complete-9.1.13.0.jar:META-INF/jruby.home/lib/ruby/stdlib/readline.jar:jruby-readline
(CVE-2011-4838 - https://nvd.nist.gov/vuln/detail/CVE-2011-4838) HIGH Vulnerability found in non-os package type (java) - /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dissect-1.2.0/vendor/jars/org/logstash/dissect/jruby-dissect-library/1.2.0/jruby-dissect-library-1.2.0.jar
(CVE-2011-4838 - https://nvd.nist.gov/vuln/detail/CVE-2011-4838) HIGH Vulnerability found in non-os package type (java) - /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dissect-1.2.0/vendor/jars/org/logstash/dissect/jruby-dissect-library/1.2.0/jruby-dissect-library-1.2.0.jar
(CVE-2011-4838 - https://nvd.nist.gov/vuln/detail/CVE-2011-4838) HIGH Vulnerability found in non-os package type (java) - /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dissect-1.2.0/vendor/jars/org/logstash/dissect/jruby-dissect-library/1.2.0/jruby-dissect-library-1.2.0.jar
(CVE-2011-4838 - https://nvd.nist.gov/vuln/detail/CVE-2011-4838) HIGH Vulnerability found in non-os package type (java) - /usr/share/logstash/vendor/jruby/lib/ruby/stdlib/readline.jar:jruby-readline
It looks like most of these packages have newer version.