You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "James Busche (Jira)" <ji...@apache.org> on 2022/05/21 02:03:00 UTC

[jira] [Created] (FLINK-27728) dockerFile build results in five vulnerabilities

James Busche created FLINK-27728:
------------------------------------

             Summary: dockerFile build results in five vulnerabilities
                 Key: FLINK-27728
                 URL: https://issues.apache.org/jira/browse/FLINK-27728
             Project: Flink
          Issue Type: Bug
          Components: Kubernetes Operator
    Affects Versions: kubernetes-operator-0.1.0
            Reporter: James Busche
             Fix For: kubernetes-operator-1.0.0


A Twistlock security scan of the default flink-kubernetes-operator currently shows five fixable vulnerabilities.  One [~wangyang0918] and I are trying to fix in [FLINK-27654|https://issues.apache.org/jira/browse/FLINK-27654].

The other four are easily addressable if we update the underlying OS.  I'll propose a PR for this later this evening.

The four vulnerabilities are: 
1.  packageName: gzip

severity: Low

cvss: 0

riskFactors: Has fix,Recent vulnerability

CVE Link:  [https://security-tracker.debian.org/tracker/CVE-2022-1271] 

Description: DOCUMENTATION: No description is available for this CVE.              STATEMENT: This bug was introduced in gzip-1.3.10 and is relatively hard to exploit.  Red Hat Enterprise Linux 6 was affected but Out of Support Cycle because gzip was not listed in Red Hat Enterprise Linux 6 ELS Inclusion List. [https://access.redhat.com/articles/4997301]             MITIGATION: Red Hat has investigated whether possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

2.  packageName: openssl

severity: Critical

cvss: 9.8

riskFactors: Attack complexity: low,Attack vector: network,Critical severity,Has fix,Recent vulnerability

CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1292] 

Description: 

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

3.  packageName: zlib

severity: High

cvss: 7.5

riskFactors: Attack complexity: low,Attack vector: network,Has fix,High severity

CVE Link: [https://security-tracker.debian.org/tracker/CVE-2018-25032] 

Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

4.  packageName: openldap

severity: Critical

cvss: 9.8

riskFactors: Attack complexity: low,Attack vector: network,Critical severity,Has fix,Recent vulnerability

CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-29155] 

Description: In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)