Razvan AGAPE created FLINK-23221:
------------------------------------
Summary: Docker image vulnerability
Key: FLINK-23221
URL: https://issues.apache.org/jira/browse/FLINK-23221
Project: Flink
Issue Type: Improvement
Components: flink-docker
Affects Versions: 1.13.1
Environment: Issue was discovered by AWS ECR image scanning on
apache/flink:1.13.1-scala_2.12
Reporter: Razvan AGAPE
The AWS ECR image scanning reports some HIGH vulnerabilities on
apache/flink:1.13.1-scala_2.12 docker image. In addition, all versions prior to
this one have these issues.
The vulnerabilities are the following:
# [CVE-2021-33574|https://security-tracker.debian.org/tracker/CVE-2021-33574]
# [CVE-2019-25013 - for this one a patch was been released in glibc versionĀ
2.31-9|https://security-tracker.debian.org/tracker/CVE-2019-25013]
Our security policy do not allow us to deploy images having security
vulnerabilities. Searching through the Internet I found that for the first
problem, a patch containing the solution will be release this year.
Do you plan to release a new image containing the newer glibc version in order
to solve those issues?
Also, I checked and the alpine based flink images do not have these
vulnerabilities. Do you plan to release newer versions of flink based on alpine
(latest one is flink:1.8.x)?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
