search

fluent / fluent-bit-docker-image

Docker image for Fluent Bit
https://hub.docker.com/r/fluent/fluent-bit/
Apache License 2.0
67 stars 75 forks source link

The image has CVE #53

Open igajsin opened 2 years ago

igajsin commented 2 years ago

Hi. I've tried to run the security scanner trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese.

How to reproduce

  1. Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
  2. Run it against an image like 
    
trivy i --severity CRITICAL fluent/fluent-bit:1.8.11    
2022-05-23T13:32:17.936+0200    INFO    Detected OS: debian
2022-05-23T13:32:17.936+0200    INFO    Detecting Debian vulnerabilities...
2022-05-23T13:32:17.938+0200    INFO    Number of language-specific files: 0

fluent/fluent-bit:1.8.11 (debian 10.11)

Total: 4 (CRITICAL: 4)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ │ │ │ │ │ │ attributes │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ │ │ │ │ │ │ long pathnames │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ │ │ │ │ │ │ a long pathname │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘


# Expected behavior
No CVEs (at least with HIGH or CRITICAL severity) found

# Actual behavior
There are CVEs.
edsiper commented 2 years ago

On Mon, 23 May 2022 at 05:34, Igor Gajsin @.***> wrote:

Hi. I've tried to run the security scanner trivy https://github.com/aquasecurity/trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese. How to reproduce

  1. Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
  2. Run it against an image like

trivy i --severity CRITICAL fluent/fluent-bit:1.8.11 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities... 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0

fluent/fluent-bit:1.8.11 (debian 10.11)

Total: 4 (CRITICAL: 4)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ │ │ │ │ │ │ attributes │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ │ │ │ │ │ │ long pathnames │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ │ │ │ │ │ │ a long pathname │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Expected behavior

No CVEs (at least with HIGH or CRITICAL severity) found Actual behavior

There are CVEs.

— Reply to this email directly, view it on GitHub https://github.com/fluent/fluent-bit-docker-image/issues/53, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Eduardo Silva Calyptia Inc. https://calyptia.com https://fluentbit.io https://twitter.com/edsiper

edsiper commented 2 years ago

That's an old version and the CVE is in the base image, the Google distroless one. I would step up to the latest version to confirm and you can also verify by running a scan on the base image.

1.8.12+ includes a step up to Debian 11 but also any new release will pick up the latest base image at the time with CVE fixes.

If people need CVE fixes then they should be on latest: back porting of the OSS to pick them up is not supported (a service from a commercial provider though).

On Thu, 26 May 2022, 23:08 Eduardo Silva, @.***> wrote:

  • @Patrick Stephens @.***>

On Mon, 23 May 2022 at 05:34, Igor Gajsin @.***> wrote:

Hi. I've tried to run the security scanner trivy https://github.com/aquasecurity/trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese. How to reproduce

  1. Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
  2. Run it against an image like

trivy i --severity CRITICAL fluent/fluent-bit:1.8.11 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities... 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0

fluent/fluent-bit:1.8.11 (debian 10.11)

Total: 4 (CRITICAL: 4)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ │ │ │ │ │ │ attributes │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ │ │ │ │ │ │ long pathnames │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ │ │ │ │ │ │ a long pathname │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Expected behavior

No CVEs (at least with HIGH or CRITICAL severity) found Actual behavior

There are CVEs.

— Reply to this email directly, view it on GitHub https://github.com/fluent/fluent-bit-docker-image/issues/53, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Eduardo Silva Calyptia Inc. https://calyptia.com https://fluentbit.io https://twitter.com/edsiper

igajsin commented 2 years ago

OK, the latest image looks much better, no critical CVEs: https://pastebin.com/PwyiFP6A

Probably can close the issue.