search

kube-logging / logging-operator

Logging operator for Kubernetes
https://kube-logging.dev
Apache License 2.0
1.52k stars 326 forks source link

Upgrade fluent-bit to fix CVE-2024-4323 / GHSA-5rjf-prwh-pp7q #1741

Closed smlx closed 2 months ago

smlx commented 2 months ago

Describe the bug: There is a recently disclosed security vulnerability in fluent-bit versions v2.0.7-v3.0.3 inclusive. It is patched in v3.0.4.

Expected behaviour: I would expect the logging-operator to use a patched version of fluent-bit.

Steps to reproduce the bug: See that the logging-operator uses fluent-bit v2.2.2.

Additional context: Unfortunately the GHSA for this issue is not yet public so this link 404s for me: link. I assume it will be made public shortly.

Environment details: n/a

/kind bug

kefiras commented 2 months ago

+1

pepov commented 2 months ago

I'm upgrading fluentbit in the latest release now and in mainline, please set the fluentbit version in your Logging or FluentbitAgent resource manually until then:

kind: Logging
spec:
  fluentbit:
    image:
      tag: "3.0.4"
kind: FluentbitAgent
spec:
  image:
    tag: "3.0.4"
pepov commented 2 months ago

https://github.com/kube-logging/logging-operator/releases/tag/4.6.1 is available and uses the latest fluentbit image by default.

Note: please consider adding yourself to the adopters list to help the project get promoted to CNCF Incubating