Hi Team, I would like to remind about the request for the help required to fix the vulnerabilities seen in the Flink Docker image. Any help is appreciated.
Thanks in advance. Thanks, Elakiya U On Tue, Jun 18, 2024 at 12:51 PM elakiya udhayanan <laks....@gmail.com> wrote: > Hi Community, > > In one of our applications we are using a Fink Docker image and running > Flink as a Kubernetes pod. As per policy, we tried scanning the Docker > image for security vulnerabilities using JFrog XRay and we find that there > are multiple critical vulnerabilities being reported as seen in the below > table. This is the same case for the latest Flink version 1.19.0 as well > > | Severity | Direct Package | Impacted Package | > Impacted Package Version | Fixed Versions | Type | CVE > | > > |-----------|------------------------------|---------------------------|---------------------------|----------------------------|-------|--------------------| > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.19.8, 1.20.3] | Go | > CVE-2023-24538 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.19.9, 1.20.4] | Go | > CVE-2023-24540 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.19.10, 1.20.5] | Go | > CVE-2023-29404 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.19.10, 1.20.5] | Go | > CVE-2023-29405 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.19.10, 1.20.5] | Go | > CVE-2023-29402 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.16.9, 1.17.2] | Go | > CVE-2021-38297 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.16.14, 1.17.7] | Go | > CVE-2022-23806 | > | Critical | sha256__0690274ef266a9a2f... | certifi | > 2020.6.20 | [2023.7.22] | Python| > CVE-2023-37920 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.12.6, 1.13beta1] | Go | > CVE-2019-11888 | > | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | > 1.11.1 | [1.11.13, 1.12.8] | Go | > CVE-2019-14809 | > > These vulnerabilities are related to the github.com/golang/go and certifi > packages. > > Please help me addressing the below questions: > Is there any known workaround for these vulnerabilities while using the > affected Flink versions? > Is there an ETA for a fix for these vulnerabilities in upcoming Flink > releases? > Are there any specific steps recommended to mitigate these issues in the > meantime? > Any guidance or recommendations would be greatly appreciated. > > Thanks in advance > > Thanks, > Elakiya U >