Vulnerability for fluentd:v1.16.0-1.0

Question

Vulnerability for fluentd:v1.16.0-1.0

im-bravo opened this issue a year ago · 8 comments

Hello
Many thanks for the fluentd and fluentd docker image.

We found 2 CVE in latest docker image 1.16.0 .

https://nvd.nist.gov/vuln/detail/CVE-2023-2975
https://nvd.nist.gov/vuln/detail/CVE-2023-36617

It's looks like related to libcrypto3 and libssl3 package.
Base on my scan tool, upgrade from 3.0.9-r1 to 3.0.9-r2 can fix this issue.

Answer 1 · 2023-09-14T00:29:31.000Z

I created a PR #362 to update to alpine:3.18, which should contain the fixes for:
https://nvd.nist.gov/vuln/detail/CVE-2023-2975
https://nvd.nist.gov/vuln/detail/CVE-2023-3446

Answer 2 · 2023-09-14T01:13:38.000Z

For the https://nvd.nist.gov/vuln/detail/CVE-2023-36617, we need to upgrade uri to 0.12.2 (reference: https://scout.docker.com/vulnerabilities/id/CVE-2023-36617), but I don't see any gem installed that package in Dockerfile, look like it comes as a dependency.

Answer 3 · 2023-09-21T09:53:11.000Z

I released v1.16.2-1.1 at fluent/fluentd to suppress these CVEs.
I'll close this issue after I reflect it to https://hub.docker.com/_/fluentd

Answer 4 · 2023-09-21T21:59:55.000Z

Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?
By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.

Answer 5 · 2023-09-22T01:25:31.000Z

Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?

Of course we'll do it. Please wait for a while.

By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.

Yes, not yet. Please wait for a while.

Answer 6 · 2023-10-04T08:58:03.000Z

Hi @ashie, thanks for this fluent/fluentd-kubernetes-daemonset#1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.

Answer 7 · 2023-10-04T09:38:20.000Z

Hi @ashie, thanks for this fluent/fluentd-kubernetes-daemonset#1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.

It's a known issue: fluent/fluentd-kubernetes-daemonset#1455
In the short term, we'll solve it by reorganizing build settings on DockerHub.
In the middle term, we should resolve it by migrating deployment system to GitHub Actions: #318

Answer 8 · 2023-10-06T00:13:44.000Z

fluentd-kubernetes-daemonset v1.16-debian-s3 has been also updated.