You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "James Busche (Jira)" <ji...@apache.org> on 2022/05/21 02:03:00 UTC
[jira] [Created] (FLINK-27728) dockerFile build results in five vulnerabilities
James Busche created FLINK-27728:
------------------------------------
Summary: dockerFile build results in five vulnerabilities
Key: FLINK-27728
URL: https://issues.apache.org/jira/browse/FLINK-27728
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-0.1.0
Reporter: James Busche
Fix For: kubernetes-operator-1.0.0
A Twistlock security scan of the default flink-kubernetes-operator currently shows five fixable vulnerabilities. One [~wangyang0918] and I are trying to fix in [FLINK-27654|https://issues.apache.org/jira/browse/FLINK-27654].
The other four are easily addressable if we update the underlying OS. I'll propose a PR for this later this evening.
The four vulnerabilities are:
1. packageName: gzip
severity: Low
cvss: 0
riskFactors: Has fix,Recent vulnerability
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1271]
Description: DOCUMENTATION: No description is available for this CVE. STATEMENT: This bug was introduced in gzip-1.3.10 and is relatively hard to exploit. Red Hat Enterprise Linux 6 was affected but Out of Support Cycle because gzip was not listed in Red Hat Enterprise Linux 6 ELS Inclusion List. [https://access.redhat.com/articles/4997301] MITIGATION: Red Hat has investigated whether possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
2. packageName: openssl
severity: Critical
cvss: 9.8
riskFactors: Attack complexity: low,Attack vector: network,Critical severity,Has fix,Recent vulnerability
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1292]
Description:
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
3. packageName: zlib
severity: High
cvss: 7.5
riskFactors: Attack complexity: low,Attack vector: network,Has fix,High severity
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2018-25032]
Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
4. packageName: openldap
severity: Critical
cvss: 9.8
riskFactors: Attack complexity: low,Attack vector: network,Critical severity,Has fix,Recent vulnerability
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-29155]
Description: In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)