manuasir
commented
5 years ago Hello @JPLachance,
As this involves several critical problems, we will take it as a top priority.
We're thinking about the best way to approach the solution, and we've been planning about changing the current phusion base image, which has been clearly outdated. Instead of using a third-party Ubuntu 16 based image, we could change it to an official Ubuntu or CentOS image.
Regarding your question about our cloud service, we're using own generation Docker images. Due to strict regulatory compliances, we also have to pass weekly for catching CVEs and patching them so this problem is only applying to our public Docker images.
I'd also like to thank you for reporting these scan results, your contributions to this community have been always very valuable, and they help to this product to improve its quality and robustness. For that, very much appreciated.
Don't hesitate to share your thoughts on this, also please stay tuned to this ticket for tracking the solution.
Best regards
xr09
Greetings,
I just did a scan using Snyk of the wazuh/wazuh:3.9.3_6.8.1 container image and here are the results:
As of July 30, 2019, the wazuh/wazuh:3.9.3_6.8.1 container image contains 57 known high theoretical CVEs, 42 mediums, 5 lows.
This is caused by two things:
So, how did you tackle vulnerability management for Wazuh Cloud services? 🙂
In the community, we see people reworking their container images to use a super slim base and install only what is truly required for the app to work.
Thanks for the help!