containers
containers copied to clipboard
bitnami
Security Vulnerabilities
Name and Version
bitnami/fluent-bit:1.9.6
What steps will reproduce the bug?
Vulnerabilities scanned by PRISMA tool
What do you see instead?
Our Security Scanning tools have identified CVEs in the following components listed. Can you please review this and provide an update on the following:
- Documentation that explains the mitigation strategy that we can apply to reduce the severity level
- Details on when is this going to be fixed with the expected version number Container: fluent-bit Latest Version in use: 1.9.6
CVE-2021-3999 CVE-2016-2781 CVE-2021-31879 CVE-2021-33560 CVE-2020-16156 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2022-29458 CVE-2022-1304 CVE-2022-1586 CVE-2022-1587 CVE-2019-8457 CVE-2022-2097 CVE-2022-2509 CVE-2022-37434
Thanks
Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.
$ trivy image --ignore-unfixed bitnami/fluent-bit
2022-08-12T10:26:16.759Z INFO Vulnerability scanning is enabled
2022-08-12T10:26:16.759Z INFO Secret scanning is enabled
2022-08-12T10:26:16.759Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-12T10:26:16.759Z INFO Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-08-12T10:26:18.673Z INFO Detected OS: debian
2022-08-12T10:26:18.674Z INFO Detecting Debian vulnerabilities...
2022-08-12T10:26:18.689Z INFO Number of language-specific files: 0
bitnami/fluent-bit (debian 11.4)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04 & 20.04, or custom golden image) through the VMware Tanzu Application Catalog.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.
At this moment there is not any fixable CVE in the container image:
trivy image --ignore-unfixed bitnami/fluent-bit:latest
2022-09-09T07:57:52.978Z INFO Vulnerability scanning is enabled
2022-09-09T07:57:52.979Z INFO Secret scanning is enabled
2022-09-09T07:57:52.979Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-09T07:57:52.979Z INFO Please see also https://aquasecurity.github.io/trivy/v0.31.2/docs/secret/scanning/#recommendation for faster secret detection
2022-09-09T07:57:55.380Z INFO Detected OS: debian
2022-09-09T07:57:55.380Z INFO Detecting Debian vulnerabilities...
2022-09-09T07:57:55.393Z INFO Number of language-specific files: 0
bitnami/fluent-bit:latest (debian 11.4)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
The reported security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.