search

fluent / fluentd-kubernetes-daemonset

Fluentd daemonset for Kubernetes and it Docker image
Apache License 2.0
1.26k stars 982 forks source link

security vulnerabilities detected in Fluentd v1.15.3 using Prisma tool #1434

Closed latan9 closed 1 year ago

latan9 commented 1 year ago

Dear team,

Below high severity vulnerabilities are detected in Fluentd v1.15.3 using Prisma tool

Please find below the vulnerability having high severity:

CVE-2023-29491 CVE-2022-29458 CVE-2021-43809 CVE-2023-28755 CVE-2023-28756

Please let us know the impact and possible fix for above vulnerabilities

latan9 commented 1 year ago

Dear team, Please look in to the issue.

ashie commented 1 year ago

Thanks for your report.

Below high severity vulnerabilities are detected in Fluentd v1.15.3 using Prisma tool

The latest is v1.16.2, please use it.

CVE-2023-29491 CVE-2022-29458

Fluentd doesn't use ncurses when running as a deamon.

CVE-2021-43809

Already answered at https://github.com/fluent/fluentd-kubernetes-daemonset/issues/1421#issuecomment-1491609356

CVE-2023-28755 CVE-2023-28756

Already fixed in v1.16 image.

BTW we are happy if you could not only present the results of the tool, but also check the validity of the contents as much as possible (for CVE-2021-43809, we already notice you that it's doesn't affect).

latan9 commented 1 year ago

Thank you for the information