Zookeeper needs to be bumped to 3.8.3 in order to fix a series of identified CRITICAL CVEs

[pandoscas]

Description

While running trivy to look for vulnerabilities in the latest 0.2.15 images, the report returned multiple CRITICAL CVEs in the zookeeper image that have been resolved in the latest stable 3.8.3.

I have attatched to this issue the report extracted from trivy, but the CRITICAL CVEs found are: CVE-2023-38545 CVE-2021-32292 CVE-2022-3515 CVE-2022-47629 CVE-2022-1586 CVE-2022-1587 CVE-2021-46848 CVE-2022-37434 CVE-2023-44981

vulnerability_zookeeper_operator_upgrade.json

Importance

must-have

Location

Zookeeper image

Suggestions for an improvement

Bump the zookeeper docker image to version 3.8.3, which is the latest stable version.

[subhranil05]

@pandoscas I have updated zookeeper to 3.8.3 for vulnerabilities remediation. Updated files: docker/zu/build.gradle.kts

docker/Dockerfile (updated base img version of zk)

Looks like these two are only files to be modified to make it 3.8.3 I can see good amount of vulnerabilities have been removed.

[pandoscas]

Yes from what I could tell even on other repositories that would close not only the CVEs I referred but also a good amount of other vulnerabilities.

[anishakj]

@subhranil05 there is one issue with scaling in this image, https://issues.apache.org/jira/browse/ZOOKEEPER-4530 Due to that we are not upgrading

[pandoscas]

Nice find! I can see if the CVEs were fixed under 3.7.

[subhranil05]

@anishakj thanks for pointing it out, will check with 3.7.2

[pandoscas]

Already checked the vulnerabilities with 3.7.2, no CRITICAL were found there. vulnerability_zookeeper.json

[pandoscas]

I can commit right away the change if 3.7 is ok.

[anishakj]

I can commit right away the change if 3.7 is ok.

sure, please

[subhranil05]

@pandoscas what is the status with 3.7.2 ? Is it worki working fine with scale in ? I still din't see any commits

[pandoscas]

@pandoscas what is the status with 3.7.2 ? Is it worki working fine with scale in ? I still din't see any commits

PR is here: https://github.com/pravega/zookeeper-operator/pull/586.

[anishakj]

@pandoscas what is the status with 3.7.2 ? Is it worki working fine with scale in ? I still din't see any commits

PR is here: #586.

@pandoscas Could you please update the README to 3.7.2

[pandoscas]

One question @anishakj how can I request the creation of a 0.2.16 version? Is it an issue that needs to be opened?

[anishakj]

One question @anishakj how can I request the creation of a 0.2.16 version? Is it an issue that needs to be opened?

u can create build by using make build-zk-image till the new release is made

[asekretenko]

Hi @anishakj, do you know the approximate timeline for the 0.2.16 release? Something like spring 2024? or are there plans to do it earlier (to release the CVE fixes, etc.)?