-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
open security vulnerabilities on the latest fluent-bit version #8117
Comments
What OS/target are you looking at and with what tool? If the CVEs are related to the OS supplied libraries that Fluent Bit depends on so the resolution would need to be provided by those upstream providers (if they deem it necessary to fix). If it is related to the vendored dependencies (see https://github.com/fluent/fluent-bit/tree/master/lib) then these can indeed be controlled by Fluent Bit and ETA will be greatly improved by submitting a PR to contribute the change. What analysis have you done to confirm these are indeed relevant and impacting Fluent Bit? I had a look at the first one initially to check and this is marked as won't fix by Red Hat for example (https://nvd.nist.gov/vuln/detail/CVE-2010-0928) plus seems to be referencing OpenSSL 0.9.8 - depending on the target we should be using either OpenSSL 1.x+ or 3.x+ (see #7644 for work to step up) so it feels like this is a false positive or something dragged in by other dependencies. Again, likely target-specific but it's hard to say without those details. |
And CVE-2023-4911 as well. We need to wait for the next release to fix the vulnerabilities since the docker image is distroles and it requires additional effort to perform package upgrade on your own |
I am not sure which Debian version is used here, because I see several in Dockerfile. |
Distroless images are used as the base image for the production image: https://docs.fluentbit.io/manual/installation/docker#why-use-distroless-containers fluent-bit/dockerfiles/Dockerfile Line 155 in 3ce15c6
The system dependencies are pulled at the time of image build (i.e. for the release) so it should pull any fixes from upstream repositories at that point. Each time a release is made it will get a snapshot of the system dependencies at that point - these are outside of Fluent Bit control. As new CVEs are found and fixed all the time you should be stepping up to the latest release - backporting of fixes is not done for older releases for OSS versions. We do not overwrite images once released. Enterprise providers exist if you need this: https://fluentbit.io/enterprise/ Stepping up to Bookworm should just be a case of updating the Dockerfile (assuming there is a distroless version for it) so please submit a PR as contribution will always help speed it up. We may need to handle any dependency changes (e.g. a package may be renamed or extra packages are required or some can be removed). We also have nightly builds if you want to verify if something is fixed in the next release: Trivy is reporting no critical or high CVEs as part of the nightly build: https://github.com/fluent/fluent-bit/actions/runs/7284609185/job/19852008314
Note we ignore unfixed vulnerabilities here - there is nothing we can do for those as they must come from upstream. These are the results I get with Grype at this specific point in time (i.e. the nightly build from yesterday and the current vulnerability database right now):
As you can see, some are "won't fix" as well. |
I will again implore folks to look at #8117 (comment). Specifically the analysis aspect and any time you can contribute to help improve the overall product will benefit yourselves and the rest of the community. |
@patrick-stephens
It means that the basic image is oldstable. Why? Can/should it be changed to stable-sec? |
Sure, I suspect it is a hangover from the previous OpenSSL 1 usage which is still in place for older targets but there is an open issue on updating to OpenSSL 3 which should be supported now. fluent-bit/dockerfiles/Dockerfile Line 111 in 3ce15c6
The only problematic area might be transitive dependencies - if any of the other dependencies pull in OpenSSL 1. So, feel free to submit a PR to update the container image to do so. This will be the quickest way to test and verify it plus get it into a release then. Similar for any other dependencies there, if you think it needs updating please add it. |
@patrick-stephens I think the problem here that the base image is bullseye (Debian 11) and not bookworm (Debian 12) - see in https://github.com/fluent/fluent-bit/blob/master/dockerfiles/Dockerfile#L108. |
I have been working on this issue as well, and I have a patch for this, which moves the base image to bookworm (debian-12). The also causes an issue with the dependent projects like the grafana-labs fluent-bit plugin, which use the version 1.9.9 base image as well. |
Do you have a PR @vasuarv ? |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the |
This issue was closed because it has been stalled for 5 days with no activity. |
I thought I had posted the comment previously. The build from the main branch did not have this issue. |
#8916 should update the base image too |
Critical CVE-2023-45853 is coming from upstream, How do we assess the criticality of this vulnerability in Fluent Bit context? |
There are several vulnerabilities, some over 10 years old, that are still present in the latest version. Do we have an ETA on when will these get resolved?
Here is the list
CVE-2010-0928
CVE-2011-3389
CVE-2013-4392
CVE-2015-3276
CVE-2017-14159
CVE-2017-17740
CVE-2018-20796
CVE-2018-5709
CVE-2018-6829
CVE-2020-13529
CVE-2020-15719
CVE-2021-33560
CVE-2022-1304
CVE-2022-41862
CVE-2022-4899
The text was updated successfully, but these errors were encountered: