Hi Elakiya, just to be clear, I'm not a Flink maintainer, but here my 2 cents.
I imagine the issues related to Go come from 'gosu', which is installed in the official Flink Docker images. You can see [1] for some thoughts from the gosu maintainer regarding CVEs (and the md file he links). Nevertheless, there have been newer gosu releases and Flink hasn't updated it in a long time, and I think it could be worth doing that, it seems to me that it's just about changing one env var, e.g. [2]. [1] https://github.com/tianon/gosu/issues/136#issuecomment-2150375314 [2] https://github.com/apache/flink-docker/blob/master/1.19/scala_2.12-java11-ubuntu/Dockerfile#L28 Regards, Alexis. Am Fr., 21. Juni 2024 um 15:37 Uhr schrieb elakiya udhayanan < laks....@gmail.com>: > Hi Team, > > I would like to remind about the request for the help required to fix the > vulnerabilities seen in the Flink Docker image. Any help is appreciated. > > Thanks in advance. > > Thanks, > Elakiya U > > On Tue, Jun 18, 2024 at 12:51 PM elakiya udhayanan <laks....@gmail.com> > wrote: > >> Hi Community, >> >> In one of our applications we are using a Fink Docker image and running >> Flink as a Kubernetes pod. As per policy, we tried scanning the Docker >> image for security vulnerabilities using JFrog XRay and we find that there >> are multiple critical vulnerabilities being reported as seen in the below >> table. This is the same case for the latest Flink version 1.19.0 as well >> >> | Severity | Direct Package | Impacted Package | >> Impacted Package Version | Fixed Versions | Type | CVE >> | >> >> |-----------|------------------------------|---------------------------|---------------------------|----------------------------|-------|--------------------| >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.19.8, 1.20.3] | Go | >> CVE-2023-24538 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.19.9, 1.20.4] | Go | >> CVE-2023-24540 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.19.10, 1.20.5] | Go | >> CVE-2023-29404 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.19.10, 1.20.5] | Go | >> CVE-2023-29405 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.19.10, 1.20.5] | Go | >> CVE-2023-29402 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.16.9, 1.17.2] | Go | >> CVE-2021-38297 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.16.14, 1.17.7] | Go | >> CVE-2022-23806 | >> | Critical | sha256__0690274ef266a9a2f... | certifi | >> 2020.6.20 | [2023.7.22] | Python| >> CVE-2023-37920 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.12.6, 1.13beta1] | Go | >> CVE-2019-11888 | >> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go | >> 1.11.1 | [1.11.13, 1.12.8] | Go | >> CVE-2019-14809 | >> >> These vulnerabilities are related to the github.com/golang/go and >> certifi packages. >> >> Please help me addressing the below questions: >> Is there any known workaround for these vulnerabilities while using the >> affected Flink versions? >> Is there an ETA for a fix for these vulnerabilities in upcoming Flink >> releases? >> Are there any specific steps recommended to mitigate these issues in the >> meantime? >> Any guidance or recommendations would be greatly appreciated. >> >> Thanks in advance >> >> Thanks, >> Elakiya U >> >
