The image has CVE

[igajsin]

Hi. I've tried to run the security scanner trivy against the fluent/fluent-bit image and it found multiple CVEs including critical onese.

How to reproduce

1. Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/
2. Run it against an image like

trivy i --severity CRITICAL fluent/fluent-bit:1.8.11    
2022-05-23T13:32:17.936+0200    INFO    Detected OS: debian
2022-05-23T13:32:17.936+0200    INFO    Detecting Debian vulnerabilities...
2022-05-23T13:32:17.938+0200    INFO    Number of language-specific files: 0

fluent/fluent-bit:1.8.11 (debian 10.11)

Total: 4 (CRITICAL: 4)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2021-33574 │ CRITICAL │ 2.28-10           │               │ glibc: mq_notify does not handle separately allocated thread │
│         │                │          │                   │               │ attributes                                                   │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │               │ glibc: Arbitrary read in wordexp()                           │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │               │ glibc: Stack-based buffer overflow in svcunix_create via     │
│         │                │          │                   │               │ long pathnames                                               │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│         ├────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2022-23219 │          │                   │               │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│         │                │          │                   │               │ a long pathname                                              │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Expected behavior

No CVEs (at least with HIGH or CRITICAL severity) found

Actual behavior

There are CVEs.

[edsiper]

+ @patrick Stephens ***@***.***>

…

On Mon, 23 May 2022 at 05:34, Igor Gajsin ***@***.***> wrote: Hi. I've tried to run the security scanner trivy <https://github.com/aquasecurity/trivy> against the fluent/fluent-bit image and it found multiple CVEs including critical onese. How to reproduce 1. Install the vulnerability scanner trivy like described here https://aquasecurity.github.io/trivy/v0.17.0/installation/ 2. Run it against an image like trivy i --severity CRITICAL fluent/fluent-bit:1.8.11 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities... 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0 fluent/fluent-bit:1.8.11 (debian 10.11) Total: 4 (CRITICAL: 4) ┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ │ │ │ │ │ │ attributes │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ │ │ │ │ │ │ long pathnames │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ │ │ │ │ │ │ a long pathname │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ Expected behavior No CVEs (at least with HIGH or CRITICAL severity) found Actual behavior There are CVEs. — Reply to this email directly, view it on GitHub <#53>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Eduardo Silva Calyptia Inc. <https://calyptia.com> https://fluentbit.io https://twitter.com/edsiper

[edsiper]

That's an old version and the CVE is in the base image, the Google distroless one. I would step up to the latest version to confirm and you can also verify by running a scan on the base image. 1.8.12+ includes a step up to Debian 11 but also any new release will pick up the latest base image at the time with CVE fixes. If people need CVE fixes then they should be on latest: back porting of the OSS to pick them up is not supported (a service from a commercial provider though).

…

On Thu, 26 May 2022, 23:08 Eduardo Silva, ***@***.***> wrote: + @patrick Stephens ***@***.***> On Mon, 23 May 2022 at 05:34, Igor Gajsin ***@***.***> wrote: > Hi. I've tried to run the security scanner trivy > <https://github.com/aquasecurity/trivy> against the fluent/fluent-bit > image and it found multiple CVEs including critical onese. > How to reproduce > > 1. Install the vulnerability scanner trivy like described here > https://aquasecurity.github.io/trivy/v0.17.0/installation/ > 2. Run it against an image like > > trivy i --severity CRITICAL fluent/fluent-bit:1.8.11 > 2022-05-23T13:32:17.936+0200 INFO Detected OS: debian > 2022-05-23T13:32:17.936+0200 INFO Detecting Debian vulnerabilities... > 2022-05-23T13:32:17.938+0200 INFO Number of language-specific files: 0 > > fluent/fluent-bit:1.8.11 (debian 10.11) > > Total: 4 (CRITICAL: 4) > > ┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ > │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ > ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ > │ libc6 │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │ > │ │ │ │ │ │ attributes │ > │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │ > ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ > │ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │ > │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │ > ├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ > │ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │ > │ │ │ │ │ │ long pathnames │ > │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │ > │ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ > │ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │ > │ │ │ │ │ │ a long pathname │ > │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │ > └─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ > > Expected behavior > > No CVEs (at least with HIGH or CRITICAL severity) found > Actual behavior > > There are CVEs. > > — > Reply to this email directly, view it on GitHub > <#53>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAC2INTIITMLIBZ2CC3OANTVLNUL7ANCNFSM5WVQ5UMQ> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> > -- Eduardo Silva Calyptia Inc. <https://calyptia.com> https://fluentbit.io https://twitter.com/edsiper

[igajsin]

OK, the latest image looks much better, no critical CVEs: https://pastebin.com/PwyiFP6A

Probably can close the issue.