Security vulnerabilities with Aquasec

Hi,

I have executed the latest image (7.14.1) with Aquasec and it raised the following vulnerabilities.

Is there any plan to fix them?

Name	Resource	Severity	Score	Fix Version
RHSA-2021:1679	bash	low	7.8	0:4.4.19-14.el8
CVE-2018-1000876	binutils	medium	7.8	None
CVE-2021-3487	binutils	medium	6.5	None
CVE-2020-35494	binutils	low	6.1	None
CVE-2018-12934	binutils	low	5.5	None
CVE-2019-12972	binutils	low	5.5	None
CVE-2020-35496	binutils	low	5.5	None
CVE-2020-35493	binutils	low	5.5	None
CVE-2020-35495	binutils	low	5.5	None
CVE-2020-35507	binutils	low	5.5	None
CVE-2019-9074	binutils	medium	5.3	None
CVE-2018-20673	binutils	medium	5.3	None
CVE-2019-9075	binutils	medium	5.3	None
CVE-2018-20623	binutils	medium	5.3	None
CVE-2018-20671	binutils	medium	5.3	None
CVE-2019-9077	binutils	medium	5.3	None
CVE-2021-20284	binutils	low	4.7	None
CVE-2018-17985	binutils	low	4.7	None
CVE-2018-18700	binutils	low	4.3	None
CVE-2018-18701	binutils	low	4.3	None
CVE-2018-18483	binutils	low	4.3	None
CVE-2018-18484	binutils	low	4.3	None
CVE-2021-20197	binutils	medium	4.2	None
CVE-2018-19932	binutils	low	3.3	None
CVE-2019-9071	binutils	low	3.3	None
CVE-2018-20651	binutils	low	3.3	None
CVE-2018-18607	binutils	low	3.3	None
CVE-2019-14250	binutils	low	3.3	None
CVE-2020-35448	binutils	low	3.3	None
CVE-2018-20002	binutils	low	3.3	None
CVE-2018-17794	binutils	low	3.3	None
CVE-2018-18309	binutils	low	3.3	None
CVE-2018-17360	binutils	low	3.3	None
CVE-2018-20657	binutils	low	3.3	None
CVE-2018-12697	binutils	low	3.3	None
CVE-2018-12698	binutils	low	3.3	None
CVE-2018-18606	binutils	low	3.3	None
CVE-2018-12700	binutils	low	3.3	None
CVE-2018-18605	binutils	low	3.3	None
CVE-2018-12641	binutils	low	3.3	None
CVE-2018-6872	binutils	low	3.3	None
CVE-2018-12699	binutils	low	3.3	None
CVE-2020-25649	/usr/share/elasticsearch/modules/ingest-geoip/jackson-databind-2.10.4.jar	medium	5	2.10.5.1
CVE-2020-28491	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	medium	5	2.11.4
CVE-2020-28491	/usr/share/elasticsearch/lib/jackson-dataformat-cbor-2.10.4.jar	medium	5	2.11.4
CVE-2018-10237	/usr/share/elasticsearch/modules/x-pack-identity-provider/guava-19.0.jar	medium	4.3	24.1.1-android
CVE-2020-8908	/usr/share/elasticsearch/modules/x-pack-identity-provider/guava-19.0.jar	low	2.1	30.0
CVE-2018-10237	/usr/share/elasticsearch/modules/x-pack-security/guava-19.0.jar	medium	4.3	24.1.1-android
CVE-2020-8908	/usr/share/elasticsearch/modules/x-pack-security/guava-19.0.jar	low	2.1	30.0
CVE-2020-8908	/usr/share/elasticsearch/modules/x-pack-watcher/guava-27.1-jre.jar	low	2.1	30.0
CVE-2021-38185	cpio	medium	7	None
RHSA-2021:1582	cpio	medium	6.7	0:2.12-10.el8
CVE-2021-22922	curl	medium	6.5	None
RHSA-2021:1610	curl	medium	6.5	0:7.61.1-18.el8
CVE-2021-22923	curl	medium	5.7	None
CVE-2021-22924	curl	medium	3.7	None
CVE-2021-22876	curl	medium	3.7	None
CVE-2021-22925	curl	low	3.1	None
CVE-2021-22898	curl	low	3.1	None
CVE-2020-35512	dbus	low	7	None
CVE-2018-16428	glib2	low	9.8	None
RHSA-2021:2170	glib2	high	9.8	0:2.56.4-10.el8_4
CVE-2018-16429	glib2	low	7.5	None
RHSA-2021:3058	glib2	medium	7.5	0:2.56.4-10.el8_4.1
CVE-2021-28153	glib2	low	5.3	None
RHSA-2021:1586	glib2	low	4.4	0:2.56.4-9.el8
CVE-2021-35942	glibc	medium	9.1	None
CVE-2019-1010022	glibc	high	7.5	None
RHSA-2021:1585	glibc	medium	6.5	0:2.28-151.el8
CVE-2021-33574	glibc	low	5.9	None
CVE-2021-27645	glibc	low	2.5	None
RHSA-2021:1206	gnutls	high	8.1	0:3.6.14-8.el8_3
RHSA-2020:5483	gnutls	medium	7.5	0:3.6.14-7.el8_3
CVE-2021-20232	gnutls	medium	3.7	None
CVE-2021-20231	gnutls	medium	3.7	None
CVE-2021-21290	/usr/share/elasticsearch/modules/transport-netty4/netty-codec-http-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/x-pack-core/netty-codec-http-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/transport-netty4/netty-common-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/x-pack-core/netty-common-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/transport-netty4/netty-handler-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/x-pack-core/netty-handler-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/x-pack-core/netty-transport-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2021-21290	/usr/share/elasticsearch/modules/transport-netty4/netty-transport-4.1.49.Final.jar	low	1.9	4.1.59.Final
CVE-2020-12762	json-c	medium	7.8	None
CVE-2021-20269	kexec-tools	low	4.7	None
CVE-2020-21674	libarchive	medium	7.5	None
RHEA-2021:1580	libarchive	medium	7.5	0:3.3.3-1.el8
CVE-2018-1000879	libarchive	low	3.3	None
CVE-2018-1000880	libarchive	low	3.3	None
CVE-2017-14166	libarchive	low	3.3	None
CVE-2017-14501	libarchive	low	3.3	None
RHSA-2021:1675	libdb	low	3.3	0:5.3.28-40.el8
CVE-2021-3445	libdnf	medium	6.4	None
CVE-2021-33560	libgcrypt	medium	7.5	None
CVE-2021-40528	libgcrypt	medium	7.5	None
CVE-2019-12904	libgcrypt	medium	5.9	None
CVE-2021-36084	libsepol	medium	3.3	None
CVE-2021-36085	libsepol	medium	3.3	None
CVE-2021-36086	libsepol	medium	3.3	None
CVE-2021-36087	libsepol	medium	3.3	None
CVE-2021-33928	libsolv	medium	7.5	None
CVE-2021-33929	libsolv	medium	7.5	None
CVE-2021-33930	libsolv	medium	7.5	None
CVE-2021-33938	libsolv	medium	7.5	None
CVE-2021-3200	libsolv	low	3.3	None
CVE-2018-1000654	libtasn1	low	4	None
RHSA-2021:2569	libxml2	medium	8.6	0:2.9.7-9.el8_4.2
RHSA-2021:1597	libxml2	medium	6.5	0:2.9.7-9.el8
CVE-2021-31684	/usr/share/elasticsearch/modules/x-pack-security/nimbus-jose-jwt-9.8.1.jar	medium	5	2.4.5
RHSA-2021:1206	nettle	high	8.1	0:3.4.1-4.el8_3
CVE-2021-3580	nettle	medium	7.5	None
CVE-2020-13956	/usr/share/elasticsearch/modules/x-pack-core/httpclient-4.5.10.jar	medium	5	4.5.13
CVE-2020-13956	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	medium	5	4.5.13
CVE-2020-13956	/usr/share/elasticsearch/modules/reindex/httpclient-4.5.10.jar	medium	5	4.5.13
CVE-2020-13956	/usr/share/elasticsearch/modules/ingest-common/httpclient-4.5.10.jar	medium	5	4.5.13
CVE-2020-13956	/usr/share/elasticsearch/modules/kibana/httpclient-4.5.10.jar	medium	5	4.5.13
CVE-2020-13956	/usr/share/elasticsearch/modules/repository-url/httpclient-4.5.10.jar	medium	5	4.5.13
CVE-2020-9488	/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.1.jar	medium	4.3	2.13.2
CVE-2020-9488	/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar	medium	4.3	2.13.2
CVE-2020-15522	/usr/share/elasticsearch/lib/tools/plugin-cli/bc-fips-1.0.2.jar	medium	4.3	1.0.2.1
CVE-2020-15522	/usr/share/elasticsearch/lib/tools/security-cli/bcprov-jdk15on-1.64.jar	medium	4.3	1.66
RHSA-2021:1609	p11-kit	medium	7.5	0:0.23.22-1.el8
CVE-2019-20838	pcre	low	7.5	None
CVE-2020-14155	pcre	low	5.3	None
CVE-2018-1121	procps-ng	low	3.9	None
RHSA-2021:2574	rpm	medium	6.7	0:4.14.3-14.el8_4
CVE-2021-35938	rpm	medium	6.5	None
CVE-2021-35939	rpm	medium	6.5	None
CVE-2021-35937	rpm	medium	6.3	None
CVE-2021-20266	rpm	low	3.1	None
CVE-2021-40153	squashfs-tools	medium	8.1	None
RHSA-2021:1611	systemd	medium	6.7	0:239-45.el8
CVE-2018-20839	systemd	medium	6.4	None
RHSA-2021:2717	systemd	high	5.5	0:239-45.el8_4.2
CVE-2021-20193	tar	medium	3.3	None
CVE-2019-9923	tar	low	3.3	None

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

I'd also note that Elasticsearch is one of our most unique images and is basically built by Elastic Co. so we unfortunately have no control of rebuilding it for security updates. See the Dockerfile for where the images really come from:

elasticsearch/7/Dockerfile

Lines 3 to 4 in 54e879a

    
           # This image re-bundles the Docker image from the upstream provider, Elastic. 
        
           FROM docker.elastic.co/elasticsearch/elasticsearch:7.14.1@sha256:2dcd2f31e246a8b13995ba24922da2edc3d88e65532ff301d0b92cb1be358af5

From the Docker Hub description:

Where to file issues: For issues with Elasticsearch Docker Image or Elasticsearch: https://github.com/elastic/elasticsearch/issues

	# This image re-bundles the Docker image from the upstream provider, Elastic.
	FROM docker.elastic.co/elasticsearch/elasticsearch:7.14.1@sha256:2dcd2f31e246a8b13995ba24922da2edc3d88e65532ff301d0b92cb1be358af5