Hi Community, In one of our applications we are using a Fink Docker image and running Flink as a Kubernetes pod. As per policy, we tried scanning the Docker image for security vulnerabilities using JFrog XRay and we find that there are multiple critical vulnerabilities being reported as seen in the below table. This is the same case for the latest Flink version 1.19.0 as well
| Severity | Direct Package | Impacted Package | Impacted Package Version | Fixed Versions | Type | CVE | |-----------|------------------------------|---------------------------|---------------------------|----------------------------|-------|--------------------| | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.19.8, 1.20.3] | Go | CVE-2023-24538 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.19.9, 1.20.4] | Go | CVE-2023-24540 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.19.10, 1.20.5] | Go | CVE-2023-29404 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.19.10, 1.20.5] | Go | CVE-2023-29405 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.19.10, 1.20.5] | Go | CVE-2023-29402 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.16.9, 1.17.2] | Go | CVE-2021-38297 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.16.14, 1.17.7] | Go | CVE-2022-23806 | | Critical | sha256__0690274ef266a9a2f... | certifi | 2020.6.20 | [2023.7.22] | Python| CVE-2023-37920 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.12.6, 1.13beta1] | Go | CVE-2019-11888 | | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | 1.11.1 | [1.11.13, 1.12.8] | Go | CVE-2019-14809 | These vulnerabilities are related to the github.com/golang/go and certifi packages. Please help me addressing the below questions: Is there any known workaround for these vulnerabilities while using the affected Flink versions? Is there an ETA for a fix for these vulnerabilities in upcoming Flink releases? Are there any specific steps recommended to mitigate these issues in the meantime? Any guidance or recommendations would be greatly appreciated. Thanks in advance Thanks, Elakiya U