Help required to fix security vulnerabilities in Flink Docker image

Tue, 18 Jun 2024 00:21:49 -0700 

Hi Community,

In one of our applications we are using a Fink Docker image and running
Flink as a Kubernetes pod. As per policy, we tried scanning the Docker
image for security vulnerabilities using JFrog XRay and we find that there
are multiple critical vulnerabilities being reported as seen in the below
table. This is the same case for the latest Flink version 1.19.0 as well

| Severity  | Direct Package               | Impacted Package          |
Impacted Package Version | Fixed Versions             | Type  | CVE
       |
|-----------|------------------------------|---------------------------|---------------------------|----------------------------|-------|--------------------|
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.19.8, 1.20.3]           | Go    |
CVE-2023-24538     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.19.9, 1.20.4]           | Go    |
CVE-2023-24540     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.19.10, 1.20.5]          | Go    |
CVE-2023-29404     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.19.10, 1.20.5]          | Go    |
CVE-2023-29405     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.19.10, 1.20.5]          | Go    |
CVE-2023-29402     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.16.9, 1.17.2]           | Go    |
CVE-2021-38297     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.16.14, 1.17.7]          | Go    |
CVE-2022-23806     |
| Critical  | sha256__0690274ef266a9a2f... | certifi                   |
2020.6.20                 | [2023.7.22]                | Python|
CVE-2023-37920     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.12.6, 1.13beta1]        | Go    |
CVE-2019-11888     |
| Critical  | sha256__c6571bb0f39f334ef... | github.com/golang/go      |
1.11.1                    | [1.11.13, 1.12.8]          | Go    |
CVE-2019-14809     |

These vulnerabilities are related to the github.com/golang/go and certifi
packages.

Please help me addressing the below questions:
Is there any known workaround for these vulnerabilities while using the
affected Flink versions?
Is there an ETA for a fix for these vulnerabilities in upcoming Flink
releases?
Are there any specific steps recommended to mitigate these issues in the
meantime?
Any guidance or recommendations would be greatly appreciated.

Thanks in advance

Thanks,
Elakiya U

Reply via email to