Hi Alexis and Gabor , Thanks for your valuable response and suggestions. Will try to work on the suggestions and get back to you if require more details.
Thanks, Elakiya On Sun, Jun 23, 2024 at 10:12 PM Gabor Somogyi <gabor.g.somo...@gmail.com> wrote: > Hi Elakiya, > > I've just double checked the story and seems like the latest 1.17 gosu > release is not vulnerable. > Can you please try it out on your side? Alexis has written down how you > can bump the docker version locally: > > ---CUT-HERE--- > ENV GOSU_VERSION 1.17 > ---CUT-HERE--- > > Please report back and we can discuss this further based on that... > > BR, > G > > > On Fri, Jun 21, 2024 at 7:16 PM elakiya udhayanan <laks....@gmail.com> > wrote: > >> Hi Team, >> >> I would like to remind about the request for the help required to fix the >> vulnerabilities seen in the Flink Docker image. Any help is appreciated. >> >> Thanks in advance. >> >> Thanks, >> Elakiya U >> >> On Tue, Jun 18, 2024 at 12:51 PM elakiya udhayanan <laks....@gmail.com> >> wrote: >> >>> Hi Community, >>> >>> In one of our applications we are using a Fink Docker image and running >>> Flink as a Kubernetes pod. As per policy, we tried scanning the Docker >>> image for security vulnerabilities using JFrog XRay and we find that there >>> are multiple critical vulnerabilities being reported as seen in the below >>> table. This is the same case for the latest Flink version 1.19.0 as well >>> >>> | Severity | Direct Package | Impacted Package | >>> Impacted Package Version | Fixed Versions | Type | CVE >>> | >>> >>> |-----------|------------------------------|---------------------------|---------------------------|----------------------------|-------|--------------------| >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.19.8, 1.20.3] | Go | >>> CVE-2023-24538 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.19.9, 1.20.4] | Go | >>> CVE-2023-24540 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.19.10, 1.20.5] | Go | >>> CVE-2023-29404 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.19.10, 1.20.5] | Go | >>> CVE-2023-29405 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.19.10, 1.20.5] | Go | >>> CVE-2023-29402 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.16.9, 1.17.2] | Go | >>> CVE-2021-38297 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.16.14, 1.17.7] | Go | >>> CVE-2022-23806 | >>> | Critical | sha256__0690274ef266a9a2f... | certifi | >>> 2020.6.20 | [2023.7.22] | Python| >>> CVE-2023-37920 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.12.6, 1.13beta1] | Go | >>> CVE-2019-11888 | >>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>> | 1.11.1 | [1.11.13, 1.12.8] | Go | >>> CVE-2019-14809 | >>> >>> These vulnerabilities are related to the github.com/golang/go and >>> certifi packages. >>> >>> Please help me addressing the below questions: >>> Is there any known workaround for these vulnerabilities while using the >>> affected Flink versions? >>> Is there an ETA for a fix for these vulnerabilities in upcoming Flink >>> releases? >>> Are there any specific steps recommended to mitigate these issues in the >>> meantime? >>> Any guidance or recommendations would be greatly appreciated. >>> >>> Thanks in advance >>> >>> Thanks, >>> Elakiya U >>> >>
