To answer your questions:
1) yes, see https://issues.apache.org/jira/browse/FLINK-23221
2) Once an upstream image with the fix was released we will try to
release new images ASAP.
3) No, there's nothing to do on the Flink side.
4) No, we only have the debian-based images.
On 02/08/2021 16:40, Konstantin Knauf wrote:
Hi Daniel,
sorry for the late reply and thanks for the report. We'll look into this
and get back to you.
Cheers,
Konstantin
On Tue, Jun 15, 2021 at 4:33 AM Daniel Moore
<daniel.mo...@sugarcrm.com.invalid> wrote:
Hello All,
We have been implementing a solution using the Flink image from
https://github.com/apache/flink-docker/blob/master/1.13/scala_2.12-java11-debian/Dockerfile
and it got flagged by our image repository for 3 major security
vulnerabilities:
CVE-2017-8804
CVE-2019-25013
CVE-2021-33574
All of these stem from the `glibc` packages in the `openjdk:11-jre` image.
We have a working image based on building Flink using the Amazon Corretto
image -
https://github.com/corretto/corretto-docker/blob/88df29474df6fc3f3f19daa8c5515d934f706cd0/11/jdk/al2/Dockerfile.
This works although there are some issues related to linking
`libjemalloc`. Before we fully test this new image we wanted to reach out
to the community for insight on the following questions:
1. Are these vulnerabilities captured in an issue yet?
2. If so, when could we except a new official image that contains the
Debian fixes for these issues?
3. If not, how can we help contribute to a solution?
4. Are there officially supported non-Debian based Flink images?
We appreciate the insights and look forward to working with the community
on a solution.
