search

fluent / fluent-bit-docker-image

Docker image for Fluent Bit
https://hub.docker.com/r/fluent/fluent-bit/
Apache License 2.0
67 stars 75 forks source link

16 issues in a docker image fluent/fluent-bit:1.8.12 #51

Closed sane4ek-2 closed 2 years ago

sane4ek-2 commented 2 years ago

Hello guys. Probably you know about these problems. I pulled the image for the platform linux/amd64 and run docker scan command on that image. It returned the next vulnerabilities in result:

% docker scan fluent/fluent-bit
the Snyk version 1.752.0 installed on your system is older as the one embedded by Docker Desktop (>=1.809.0), using embedded Snyk version instead

Testing fluent/fluent-bit...

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: CVE-2021-4160
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-2388380
  Introduced through: openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: openssl/libssl1.1@1.1.1k-1+deb11u1
  From: openssl@1.1.1k-1+deb11u1 > openssl/libssl1.1@1.1.1k-1+deb11u1
  From: openssl@1.1.1k-1+deb11u1

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Cryptographic Issues
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-518334
  Introduced through: openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: openssl/libssl1.1@1.1.1k-1+deb11u1
  From: openssl@1.1.1k-1+deb11u1 > openssl/libssl1.1@1.1.1k-1+deb11u1
  From: openssl@1.1.1k-1+deb11u1

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Cryptographic Issues
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-525332
  Introduced through: openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: openssl/libssl1.1@1.1.1k-1+deb11u1
  From: openssl@1.1.1k-1+deb11u1 > openssl/libssl1.1@1.1.1k-1+deb11u1
  From: openssl@1.1.1k-1+deb11u1

✗ Low severity vulnerability found in glibc/libc6
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: CVE-2021-43396
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1911968
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Buffer Overflow
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-2340908
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: CVE-2021-3998
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-2340914
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: CVE-2021-3999
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-2340919
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Buffer Overflow
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-2340922
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-521063
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Uncontrolled Recursion
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-521199
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Use of Insufficiently Random Values
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-522385
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-529848
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: CVE-2019-1010023
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-531451
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Uncontrolled Recursion
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-531492
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Resource Management Errors
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-532215
  Introduced through: glibc/libc6@2.31-13+deb11u2, gcc-10/libgomp1@10.2.1-6, gcc-10/libstdc++6@10.2.1-6, openssl/libssl1.1@1.1.1k-1+deb11u1, openssl@1.1.1k-1+deb11u1
  From: glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libgomp1@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  From: gcc-10/libstdc++6@10.2.1-6 > glibc/libc6@2.31-13+deb11u2
  and 2 more...

And Helm chart of fluent-bit shows problems too but looks more dangerous because of "F" degree. https://artifacthub.io/packages/helm/fluent/fluent-bit. I'm nervous to use it in production.

Do you have any plans to fix these problems or they are within other libraries you cannot influence?

patrick-stephens commented 2 years ago

These are all low and related to the Debian base image it seems.

For the Helm chart the critical ones are already answered here: https://github.com/fluent/fluent-bit/discussions/4783 TLDR; Not relevant as not used by FB.

For security stuff raise it via the policy on the main repo: https://github.com/fluent/fluent-bit/security/policy