High CVEs found in latest Docker image "fluent/fluentd-kubernetes-daemonset:v1.16.2-debian-logzio-amd64-1.1"

[mfds]

Hello, Snyk is picking up a few CRITICAL/HIGH issues with this image

• CVE-2023-45853
• CVE-2023-4911

Would it be possible to build new images with updated packages? That alone might fix these issues.

Also, as mentioned by https://github.com/fluent/fluentd-kubernetes-daemonset/issues/1435, would you consider using a smaller base image?

Thanks, Michele Fiordispina

[kenhys]

NOTE:

• CVE-2023-45853

According to https://security-tracker.debian.org/tracker/CVE-2023-45853, it seems that bullseye base image is vulnerable.

zlib: CVE-2023-45853 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290

But, checked bugs.d.o report, it seems that this is not affected because affected code (MiniZip) is not built-in.

• CVE-2023-4911

Surely, fixed in bullseye-security.

https://security-tracker.debian.org/tracker/CVE-2023-4911 https://tracker.debian.org/news/1468062/accepted-glibc-231-13deb11u7-source-into-oldstable-security/

[mfds]

Many thanks for rebuilding the images

[ira-gordin-sap]

fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-1.0 is vulnerable as well. Looks like this is the same fix. Let me know if I need open another issue. It looks like Debian 11 is used here, but most of the CVE's were fixed in Debian 12.

[migster42]

Also fluent/fluentd-kubernetes-daemonset:v1-debian-elasticsearch is vulnerable @kenhys. Besides

• CVE-2023-45853
• CVE-2023-4911

There are a few more CVEs:

• CVE-2023-29491 (high)
• CVE-2023-36054 (medium)
• CVE-2023-3817 (medium)
• CVE-2023-3446 (medium)

[kenhys]

The latest version is based on fluent/fluentd:v1.16.3-debian-amd64-1.0 image,

• https://security-tracker.debian.org/tracker/CVE-2023-45853 it seems that it was marked as vulnerable (bullseye-security) on that page ,but only minizip was affected, See https://security-tracker.debian.org/tracker/DLA-3670-1
• https://security-tracker.debian.org/tracker/CVE-2023-4911 already fixed in bullseye (security) glibc 2.31-13+deb11u7 (via https://github.com/fluent/fluentd-docker-image/pull/369)
• https://security-tracker.debian.org/tracker/CVE-2023-29491 have nothing to do with fluentd, already fixed in bullseye security ncurses 6.2+20201114-2+deb11u2
• https://security-tracker.debian.org/tracker/CVE-2023-36054 It may be wrong with security-tracker.d.o. already fixed in bullseye (security) krb5 1.18.3-6+deb11u4
• https://security-tracker.debian.org/tracker/CVE-2023-3817 It may be wrong with security-tracker.d.o. already fixed in bullseye (security) openssl 1.1.1w-0+deb11u1

Conclusion: please use newer v1.16.3-debian-xxx-amd64-1.x image instead.

NOTE: basically older version of image fluent/fluentd-kubernetes-daemonset:v1.16.2-xxx will not be updated anymore.

[ira-gordin-sap]

fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-1.0 is vulnerable as well. Looks like this is the same fix. Let me know if I need open another issue. It looks like Debian 11 is used here, but most of the CVE's were fixed in Debian 12.

@kenhys what about this?

[ira-gordin-sap]

I opened a new one https://github.com/fluent/fluentd-kubernetes-daemonset/issues/1470. @kenhys