flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chesnay Schepler (Jira)" <j...@apache.org>
Subject [jira] [Assigned] (FLINK-23221) Docker image vulnerability
Date Wed, 04 Aug 2021 14:18:00 GMT

     [ https://issues.apache.org/jira/browse/FLINK-23221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chesnay Schepler reassigned FLINK-23221:
----------------------------------------

    Assignee: Chesnay Schepler

> Docker image vulnerability
> --------------------------
>
>                 Key: FLINK-23221
>                 URL: https://issues.apache.org/jira/browse/FLINK-23221
>             Project: Flink
>          Issue Type: Improvement
>          Components: flink-docker
>    Affects Versions: 1.13.1
>         Environment: Issue was discovered by AWS ECR image scanning on apache/flink:1.13.1-scala_2.12
>            Reporter: Razvan AGAPE
>            Assignee: Chesnay Schepler
>            Priority: Critical
>              Labels: docker, flink, glibc
>             Fix For: 1.14.0, 1.13.3
>
>
> The AWS ECR image scanning reports some HIGH vulnerabilities on apache/flink:1.13.1-scala_2.12
docker image. In addition, all versions prior to this one have these issues.
> The vulnerabilities are the following:
>  # [CVE-2021-33574|https://security-tracker.debian.org/tracker/CVE-2021-33574]
>  # [CVE-2019-25013 - for this one a patch was been released in glibc versionĀ 2.31-9|https://security-tracker.debian.org/tracker/CVE-2019-25013]
> Our security policy do not allow us to deploy images having security vulnerabilities.
Searching through the Internet I found that for the first problem, a patch containing the
solution will be release this year.
> Do you plan to release a new image containing the newer glibc version in order to solve
those issues?
> Also, I checked and the alpine based flink images do not have these vulnerabilities.
Do you plan to release newer versions of flink based on alpine (latest one is flink:1.8.x)?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message