weave icon indicating copy to clipboard operation
weave copied to clipboard

Published 20 hours ago verified publisher icon weaveworks

Update alpine to resolve vulnerabilities

Open ngraef opened this issue 4 years ago • 1 comments

What you expected to happen?

Please update the base image and rebuild to pull in security fixes.

What happened?

Prisma/twistlock scans of the latest weave-kube and weave-npc images report 40+ vulnerabilities, including 23 with a CVSS score of critical or high severity.

weave-kube:2.8.1
Screen Shot 2021-08-30 at 12 29 27 PM
weave-npc:2.8.1
Screen Shot 2021-08-30 at 12 30 28 PM

Anything else we need to know?

Alpine 3.10, the current base image, reached end of support on 2021-05-01.

I do not have enough knowledge of weave internals to determine whether any of these vulnerabilities can be exploited. I'm happy to provide more info about the specific CVEs if needed, but I image most/all of these can be resolved by pulling in base image updates.

Versions:

  • weaveworks/weave-kube:2.8.1
  • weaveworks/weave-npc:2.8.1

ngraef avatar Aug 30 '21 17:08 ngraef

Any thoughts? This project looks like it's no longer maintained.

ngraef avatar Oct 20 '21 17:10 ngraef