James Busche created FLINK-27728:
------------------------------------
Summary: dockerFile build results in five vulnerabilities
Key: FLINK-27728
URL: https://issues.apache.org/jira/browse/FLINK-27728
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-0.1.0
Reporter: James Busche
Fix For: kubernetes-operator-1.0.0
A Twistlock security scan of the default flink-kubernetes-operator currently
shows five fixable vulnerabilities. One [~wangyang0918] and I are trying to
fix in [FLINK-27654|https://issues.apache.org/jira/browse/FLINK-27654].
The other four are easily addressable if we update the underlying OS. I'll
propose a PR for this later this evening.
The four vulnerabilities are:
1. packageName: gzip
severity: Low
cvss: 0
riskFactors: Has fix,Recent vulnerability
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1271]
Description: DOCUMENTATION: No description is available for this CVE.
STATEMENT: This bug was introduced in gzip-1.3.10 and is relatively hard to
exploit. Red Hat Enterprise Linux 6 was affected but Out of Support Cycle
because gzip was not listed in Red Hat Enterprise Linux 6 ELS Inclusion List.
[https://access.redhat.com/articles/4997301] MITIGATION: Red Hat
has investigated whether possible mitigation exists for this issue, and has not
been able to identify a practical example. Please update the affected package
as soon as possible.
2. packageName: openssl
severity: Critical
cvss: 9.8
riskFactors: Attack complexity: low,Attack vector: network,Critical
severity,Has fix,Recent vulnerability
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1292]
Description:
The c_rehash script does not properly sanitise shell metacharacters to prevent
command injection. This script is distributed by some operating systems in a
manner where it is automatically executed. On such operating systems, an
attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the
OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected
3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in
OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
3. packageName: zlib
severity: High
cvss: 7.5
riskFactors: Attack complexity: low,Attack vector: network,Has fix,High severity
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2018-25032]
Description: zlib before 1.2.12 allows memory corruption when deflating (i.e.,
when compressing) if the input has many distant matches.
4. packageName: openldap
severity: Critical
cvss: 9.8
riskFactors: Attack complexity: low,Attack vector: network,Critical
severity,Has fix,Recent vulnerability
CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-29155]
Description: In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL
injection vulnerability exists in the experimental back-sql backend to slapd,
via a SQL statement within an LDAP query. This can occur during an LDAP search
operation when the search filter is processed, due to a lack of proper escaping.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
