containers
containers copied to clipboard
bitnami
Security Vulnerabilities in fluent-bit container
Name and Version
bitnami/fluent-bit:1.9.7
What steps will reproduce the bug?
Vulnerabilities scanned by PRISMA tool
What do you see instead?
| Component | Version | Vulnerability | Severity |
|---|---|---|---|
| ncurses | 6.2+20201114-2 | CVE-2022-29458 | low |
| openssl | 1.1.1n-0+deb11u3 | CVE-2022-2097 | low |
| pcre2 | 10.36-2 | CVE-2022-1587 | low |
| pcre2 | 10.36-2 | CVE-2022-1586 | low |
| e2fsprogs | 1.46.2-2 | CVE-2022-1304 | low |
| glibc | 2.31-13+deb11u3 | CVE-2021-3999 | low |
| libsepol | 3.1-1 | CVE-2021-36087 | low |
| libsepol | 3.1-1 | CVE-2021-36086 | low |
| libsepol | 3.1-1 | CVE-2021-36085 | low |
| libsepol | 3.1-1 | CVE-2021-36084 | low |
| libgcrypt20 | 1.8.7-6 | CVE-2021-33560 | low |
| db5.3 | 5.3.28+dfsg1-0.8 | CVE-2019-8457 | low |
| curl | 7.74.0-1.3+deb11u2 | CVE-2022-35252 | low |
| perl | 5.32.1-4+deb11u2 | CVE-2020-16156 | low |
| coreutils | 8.32-4 | CVE-2016-2781 | low |
Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.
Scanning the mentioned container image with the --ignore-unfixed flag, there are no CVEs
$ trivy image --ignore-unfixed bitnami/fluent-bit:1.9.7
2022-09-09T07:51:01.560Z INFO Need to update DB
2022-09-09T07:51:01.560Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-09T07:51:01.560Z INFO Downloading DB...
33.84 MiB / 33.84 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 28.81 MiB p/s 1.4s
2022-09-09T07:51:03.269Z INFO Vulnerability scanning is enabled
2022-09-09T07:51:03.269Z INFO Secret scanning is enabled
2022-09-09T07:51:03.269Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-09T07:51:03.269Z INFO Please see also https://aquasecurity.github.io/trivy/v0.31.2/docs/secret/scanning/#recommendation for faster secret detection
2022-09-09T07:51:06.945Z INFO Detected OS: debian
2022-09-09T07:51:06.945Z INFO Detecting Debian vulnerabilities...
2022-09-09T07:51:06.958Z INFO Number of language-specific files: 0
bitnami/fluent-bit:1.9.7 (debian 11.4)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
There is not any fixable CVE in the latest published image:
$ trivy image --ignore-unfixed bitnami/fluent-bit:latest
2022-09-30T13:25:23.759Z INFO Need to update DB
2022-09-30T13:25:23.759Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-30T13:25:23.759Z INFO Downloading DB...
34.29 MiB / 34.29 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 27.64 MiB p/s 1.4s
2022-09-30T13:25:25.525Z INFO Vulnerability scanning is enabled
2022-09-30T13:25:25.525Z INFO Secret scanning is enabled
2022-09-30T13:25:25.525Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-30T13:25:25.525Z INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-30T13:25:27.430Z INFO Detected OS: debian
2022-09-30T13:25:27.430Z INFO Detecting Debian vulnerabilities...
2022-09-30T13:25:27.443Z INFO Number of language-specific files: 0
bitnami/fluent-bit:latest (debian 11.5)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
About the unfixable CVEs in the underlying OS, my suggestion would be to ask in Debian forum