Debian as base image has vulnerabilities

[nimosunbit]

Please replace it and change to another one that has no vulnerabilities or fix it. Alpine can be an alternative.

[gAmUssA]

@nimosunbit hey! Thank you for heads up. Could you please provide more information about vulnerability you're talking? Which version of image it was fixed?

Cheers Vik

[nimosunbit]

@gAmUssA There are many, almost all of them related to OS. Some examples: zlib1g (zlib) version 1:1.2.8.dfsg-2 has 4 vulnerabilities util-linux version 2.25.2-6 has 2 vulnerabilities etc...

There are 47 high, 89 medium and 48 low. All of them are due to the OS version. I can check if there is a Debian version without vulnerabilities if you want.

Please also note that there are some other vulnerabilities but i think it's better to start from bottom to top in this case.

[nimosunbit]

@gAmUssA Also note that it violates SOC2 compliance which means that developers that are under these restrictions are not able to use these images as is.

[neeraj2k6]

We are also facing the images vulnerability in confluent images. On high level below is the state:

And these are high severity CVEs found.

CVEs

CVE-2014-9761 CVE-2016-2779 CVE-2016-9841 CVE-2016-9843 CVE-2017-1000408 CVE-2017-12424 CVE-2017-14062 CVE-2017-16997 CVE-2017-18269 CVE-2018-1000001 CVE-2018-1000654 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6954

[DevonPeroutky]

+1 Would also love a debian bump, or a move to alpine

[ReinoutW]

+1

We found multiple vulnerabilities while scanning the images as well. Starting with 2 unique criticals:

requests | 2.11.1 The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. https://www.cvedetails.com/cve/CVE-2018-18074/

--

PyYAML | 3,13 In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used. https://www.cvedetails.com/cve/CVE-2017-18342/

[trellotest]

do we have support for RPM based images ?

[KealanM]

Going to bump this issue as we are seeing a number of high CVE's being reported due to Debian Jessie, is there any plans to update the Debian images to a newer version?

[hashhar]

If it'll be accepted, I can work on updating the current images to latest stable debian (buster) provided someone can review my work and there are enough CI pipelines around this to make sure nothing breaks.

[sherry-ummen]

Any update on this issue? We have noticed it too. Wondering why confluent is not serious about this?

[elijah-roberts]

We are running into this issue as well.... @ewencp @elismaga @andrewegel (tagged due to recent merge activity)

Is there anything we can do to get traction on this? If myself or someone did the work to update to the latest debian version is there a reasonable expectation that we could get the changed merged upstream?

[elismaga]

@nimosunbit @neeraj2k6 @DevonPeroutky @ReinoutW @trellotest @KealanM @hashhar @sherry-ummen @elijah-roberts First, I apologize that it has taken so long for some one to respond to you about this. As of the 5.4.0 version of the Confluent Platform we started releasing images based on RHEL UBI8. Those images are kept up to date and any security issues in those images will get addressed promptly. We also sent out a deprecation notice about the Debian images at that same time, and as of the next release, 6.0.0, we will no longer be releasing Debian based images. Starting with the 5.4.0 release this repo itself is also deprecated. You can find the scripts for the new base images in the following repo: https://github.com/confluentinc/common-docker

[janjwerner-confluent]

Thank you Eli for commenting on this. OP can you please close the issue?