You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@flink.apache.org by Prasanna kumar <pr...@gmail.com> on 2022/11/04 04:07:55 UTC

Vulnerabilities in Flink docker images

Hi Community ,

Looking at the flink docker images for upgrading , I found that there are
multiple vulnerabilities found for both 1.15 and 1.16 versions .
(https://dso.docker.com/images/flink?platform=linux%2Farm64)
[image: Screenshot 2022-11-04 at 9.26.35 AM.png]

Looking at a closer level most of the vulnerabilities come from eclipse/jre
layer and there are no fixes available .

Few of them were reported months and years ago.

This gives us a jitter for us to use them in production as the images may
not be allowed to deploy by our internal security scan.

(Found out that flink moved to temurin a couple of months from openJDK. )

A few questions on the same ..

How well the temurin package is maintained ?
Is the temurin Community as receptive as flink?
Whether would they fix these when reported from the flink side ?
How are the other flink users managing these vulnerabilities ?

(
https://dso.docker.com/images/flink/digests/sha256%3A212e801b182dd49d0aa2728055c03c9c1346a2a62f6471b247658c0aed29d97c
)
[image: Screenshot 2022-11-04 at 9.25.49 AM.png]


Thanks,
Prasanna.

Re: Vulnerabilities in Flink docker images

Posted by Yang Wang <da...@gmail.com>.

You could find the discussion about changing base image here[1].

Unfortunately, Flink does not have a clear plan for fixing these
vulnerabilities except for waiting for the upstream fixes.

AFAIK, many users are building their own image if they really care about
this. And you could find the dockerfile here[2].

[1]. https://lists.apache.org/thread/1zp3xtloq4vmbgcbz0l16pq8ccxx3ls3
[2].
https://github.com/apache/flink-docker/tree/master/1.16/scala_2.12-java8-ubuntu

Best,
Yang

Prasanna kumar <pr...@gmail.com> 于2022年11月4日周五 12:08写道：

> Hi Community ,
>
> Looking at the flink docker images for upgrading , I found that there are
> multiple vulnerabilities found for both 1.15 and 1.16 versions .
> (https://dso.docker.com/images/flink?platform=linux%2Farm64)
> [image: Screenshot 2022-11-04 at 9.26.35 AM.png]
>
> Looking at a closer level most of the vulnerabilities come from
> eclipse/jre layer and there are no fixes available .
>
> Few of them were reported months and years ago.
>
> This gives us a jitter for us to use them in production as the images may
> not be allowed to deploy by our internal security scan.
>
> (Found out that flink moved to temurin a couple of months from openJDK. )
>
> A few questions on the same ..
>
> How well the temurin package is maintained ?
> Is the temurin Community as receptive as flink?
> Whether would they fix these when reported from the flink side ?
> How are the other flink users managing these vulnerabilities ?
>
> (
> https://dso.docker.com/images/flink/digests/sha256%3A212e801b182dd49d0aa2728055c03c9c1346a2a62f6471b247658c0aed29d97c
> )
> [image: Screenshot 2022-11-04 at 9.25.49 AM.png]
>
>
> Thanks,
> Prasanna.
>