fluent / fluentd-docker-image

Docker image for Fluentd
https://hub.docker.com/r/fluent/fluentd/
Apache License 2.0
464 stars 351 forks source link

Vulnerability for fluentd:v1.16.0-1.0 #359

Closed im-bravo closed 1 year ago

im-bravo commented 1 year ago

Hello Many thanks for the fluentd and fluentd docker image.

We found 2 CVE in latest docker image 1.16.0 .

https://nvd.nist.gov/vuln/detail/CVE-2023-2975 https://nvd.nist.gov/vuln/detail/CVE-2023-36617

It's looks like related to libcrypto3 and libssl3 package. Base on my scan tool, upgrade from 3.0.9-r1 to 3.0.9-r2 can fix this issue.

tunguyen9889 commented 1 year ago

I created a PR https://github.com/fluent/fluentd-docker-image/pull/362 to update to alpine:3.18, which should contain the fixes for: https://nvd.nist.gov/vuln/detail/CVE-2023-2975 https://nvd.nist.gov/vuln/detail/CVE-2023-3446

tunguyen9889 commented 1 year ago

For the https://nvd.nist.gov/vuln/detail/CVE-2023-36617, we need to upgrade uri to 0.12.2 (reference: https://scout.docker.com/vulnerabilities/id/CVE-2023-36617), but I don't see any gem installed that package in Dockerfile, look like it comes as a dependency.

ashie commented 1 year ago

I released v1.16.2-1.1 at fluent/fluentd to suppress these CVEs. I'll close this issue after I reflect it to https://hub.docker.com/_/fluentd

tunguyen9889 commented 1 year ago

Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs? By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.

ashie commented 1 year ago

Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?

Of course we'll do it. Please wait for a while.

By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.

Yes, not yet. Please wait for a while.

tunguyen9889 commented 1 year ago

Hi @ashie, thanks for this https://github.com/fluent/fluentd-kubernetes-daemonset/pull/1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.

ashie commented 1 year ago

Hi @ashie, thanks for this fluent/fluentd-kubernetes-daemonset#1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.

It's a known issue: https://github.com/fluent/fluentd-kubernetes-daemonset/issues/1455 In the short term, we'll solve it by reorganizing build settings on DockerHub. In the middle term, we should resolve it by migrating deployment system to GitHub Actions: #318

ashie commented 1 year ago

fluentd-kubernetes-daemonset v1.16-debian-s3 has been also updated.