You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by Konstantin Knauf <kn...@apache.org> on 2021/08/02 14:40:52 UTC
Re: Security Vulnerabilities with Flink OpenJDK Docker Image
Hi Daniel,
sorry for the late reply and thanks for the report. We'll look into this
and get back to you.
Cheers,
Konstantin
On Tue, Jun 15, 2021 at 4:33 AM Daniel Moore
<da...@sugarcrm.com.invalid> wrote:
> Hello All,
>
> We have been implementing a solution using the Flink image from
> https://github.com/apache/flink-docker/blob/master/1.13/scala_2.12-java11-debian/Dockerfile
> and it got flagged by our image repository for 3 major security
> vulnerabilities:
>
> CVE-2017-8804
> CVE-2019-25013
> CVE-2021-33574
>
> All of these stem from the `glibc` packages in the `openjdk:11-jre` image.
>
> We have a working image based on building Flink using the Amazon Corretto
> image -
> https://github.com/corretto/corretto-docker/blob/88df29474df6fc3f3f19daa8c5515d934f706cd0/11/jdk/al2/Dockerfile.
> This works although there are some issues related to linking
> `libjemalloc`. Before we fully test this new image we wanted to reach out
> to the community for insight on the following questions:
>
> 1. Are these vulnerabilities captured in an issue yet?
> 2. If so, when could we except a new official image that contains the
> Debian fixes for these issues?
> 3. If not, how can we help contribute to a solution?
> 4. Are there officially supported non-Debian based Flink images?
>
> We appreciate the insights and look forward to working with the community
> on a solution.
>
>
--
Konstantin Knauf
https://twitter.com/snntrable
https://github.com/knaufk
Re: Security Vulnerabilities with Flink OpenJDK Docker Image
Posted by Chesnay Schepler <ch...@apache.org>.
To answer your questions:
1) yes, see https://issues.apache.org/jira/browse/FLINK-23221
2) Once an upstream image with the fix was released we will try to
release new images ASAP.
3) No, there's nothing to do on the Flink side.
4) No, we only have the debian-based images.
On 02/08/2021 16:40, Konstantin Knauf wrote:
> Hi Daniel,
>
> sorry for the late reply and thanks for the report. We'll look into this
> and get back to you.
>
> Cheers,
>
> Konstantin
>
> On Tue, Jun 15, 2021 at 4:33 AM Daniel Moore
> <da...@sugarcrm.com.invalid> wrote:
>
>> Hello All,
>>
>> We have been implementing a solution using the Flink image from
>> https://github.com/apache/flink-docker/blob/master/1.13/scala_2.12-java11-debian/Dockerfile
>> and it got flagged by our image repository for 3 major security
>> vulnerabilities:
>>
>> CVE-2017-8804
>> CVE-2019-25013
>> CVE-2021-33574
>>
>> All of these stem from the `glibc` packages in the `openjdk:11-jre` image.
>>
>> We have a working image based on building Flink using the Amazon Corretto
>> image -
>> https://github.com/corretto/corretto-docker/blob/88df29474df6fc3f3f19daa8c5515d934f706cd0/11/jdk/al2/Dockerfile.
>> This works although there are some issues related to linking
>> `libjemalloc`. Before we fully test this new image we wanted to reach out
>> to the community for insight on the following questions:
>>
>> 1. Are these vulnerabilities captured in an issue yet?
>> 2. If so, when could we except a new official image that contains the
>> Debian fixes for these issues?
>> 3. If not, how can we help contribute to a solution?
>> 4. Are there officially supported non-Debian based Flink images?
>>
>> We appreciate the insights and look forward to working with the community
>> on a solution.
>>
>>