The latest pravega-operator image has OpenSSL 1.1.1l installed which contains CVE-2021-4160 . This has been fixed in OpenSSL 1.1.1m+ versions. Though the alpine:3.14 has OpenSSL 1.1.1n , it seems the latest pravega-operator image does not contains that fix. So it's recommended to update the alpine image from 3.14 --> 3.15
Description
The latest pravega-operator image has OpenSSL 1.1.1l installed which contains CVE-2021-4160 . This has been fixed in OpenSSL 1.1.1m+ versions. Though the alpine:3.14 has OpenSSL 1.1.1n , it seems the latest pravega-operator image does not contains that fix. So it's recommended to update the alpine image from 3.14 --> 3.15
Importance
must-have
Location
https://github.com/pravega/pravega-operator/blob/master/Dockerfile
Suggestions for an improvement
Update the alpine image version to 3.15