search

fluent / fluentd-kubernetes-daemonset

Fluentd daemonset for Kubernetes and it Docker image
Apache License 2.0
1.27k stars 981 forks source link

Vulnerabilities in fluent/fluentd-kubernetes-daemonset:v1.13-debian-forward-1 #1291

Closed siddharthck closed 3 years ago

siddharthck commented 3 years ago

I scanned fluent/fluentd-kubernetes-daemonset:v1.13-debian-forward-1 image with trivy, it returns 250+ CVEs. Total: 257 (UNKNOWN: 6, LOW: 159, MEDIUM: 42, HIGH: 42, CRITICAL: 8) All vulnerabilities listed : vuln.txt

There are lot of vulnerabilities there it seems. I guess this is due to underlying debian image. Could you please fix these vulnerabilities in the image ?

kenhys commented 3 years ago

Thanks, But the attached file contains your host OS's vulnerabilities, so this list is not accurate apparently. This image is derived from buster-slim image, could you help to clarify which CVE affects it actually? It seems that it should be forwarded to https://github.com/docker-library/ruby/tree/master/2.6/slim-buster instead.

If it contains vulnerabilities that are not contained in buster-slim, it should be fixed, though.

siddharthck commented 3 years ago

@kenhys Thanks for pointing it out. Yes all vulnerabilities are host OS's. I think its because of the base image buster-slim. I would forward it to https://github.com/docker-library/ruby/tree/master/2.6/slim-buster.

However, in future are you going to use alpine image as base image which has very few vulnerabilities compared to buster ?

BTW, these are the vulnerabilities found for fluentd :

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


Target : usr/local/bundle/gems/http_parser.rb-0.6.0/Gemfile.lock

ID | SEVERITY | PACKAGE | VERSION | FIXED IN -- | -- | -- | -- | -- CVE-2018-1000201 | HIGH | ffi | 1.0.11 | 1.9.24 CVE-2018-1000201 | HIGH | ffi | 1.0.11-java | 1.9.24 CVE-2020-10663 | HIGH | json | 1.8.0 | 2.3.0 CVE-2020-10663 | HIGH | json | 1.8.0-java | 2.3.0 CVE-2017-16516 | HIGH | yajl-ruby | 1.1.0 | 1.3.1 CVE-2020-8130 | HIGH | rake | 0.9.2 | 12.3.3

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


Target : fluent/Gemfile.lock

CVE-2021-32740 | HIGH | addressable | 2.7.0 | 2.8.0 -- | -- | -- | -- | --


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


Target : usr/local/bundle/gems/async-http-0.50.7/examples/fetch/Gemfile.lock

CVE-2020-8184 | HIGH | rack | 2.2.2 | 2.2.3, 2.1.4 -- | -- | -- | -- | --



kenhys commented 3 years ago

Target : usr/local/bundle/gems/async-http-0.50.7/examples/fetch/Gemfile.lock

This case is false positive because it is not used.

kenhys commented 3 years ago

fluent/fluentd-kubernetes-daemonset:v1.13-debian-forward-1 image is updated from time to time, current image doesn't have such vulnerabilities. The current image point to v1.13.3-debian-forward-amd64-1.1.

I guess you checked the old image.

siddharthck commented 3 years ago

Thanks @kenhys !