search

wurstmeister / kafka-docker

Dockerfile for Apache Kafka
http://wurstmeister.github.io/kafka-docker/
Apache License 2.0
6.92k stars 2.73k forks source link

security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image #681

Open ashishpatil09 opened 3 years ago

ashishpatil09 commented 3 years ago

Hi Team

I wanted to use the 2.6.0 docker image for Kafka but It has lots of security vulnerabilities. Please find the below list of security vulnerabilities CVE-2021-36159 CVE-2020-25649 CVE-2021-22926 CVE-2021-22922 CVE-2021-22924 CVE-2021-22922 CVE-2021-22924 CVE-2021-31535 CVE-2019-17571

Do we have any plan to fix this in the coming version or any suggestions around this? @wurstmeister

Thanks Ashish

JaMurphSmi commented 3 years ago

I am facing the same issue. When I do a vulnerability scan on the image I get the same flags. It would be a case of updating dependent packages to a newer version @wurstmeister

OneCricketeer commented 3 years ago

This image directly builds from Kafka binaries. Security issues should be fixed there first

JaMurphSmi commented 3 years ago

Would that be applicable if the vulnerabilities noted are mostly due to the openjdk and glibc versions being used as part of 2.13-2.7.0?

OneCricketeer commented 2 years ago

Those would be applicable to the base Docker image used by this repo, not exactly Kafka itself.