[jira] [Commented] (FLINK-23221) Docker image vulnerability

Mon, 02 Aug 2021 20:52:09 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-23221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391940#comment-17391940
 ] 

Yun Tang commented on FLINK-23221:
----------------------------------

[~Raszan] I also wonder could this problem be fixed with a newer version of 
base jdk image? 

Since Flink-1.13.2 jar artifacts have been pushed to apache dist, can we 
resolve this in flink-docker repo? [~trohrmann]

For the dependencies problem, RocksDB [starts to support musl-library from 
6.6|https://github.com/facebook/rocksdb/commit/8ae149eba1a3c6ce1314375c5020f5d80273e730]
 and cannot work well on Alpine based image before that version.

> Docker image vulnerability
> --------------------------
>
>                 Key: FLINK-23221
>                 URL: https://issues.apache.org/jira/browse/FLINK-23221
>             Project: Flink
>          Issue Type: Improvement
>          Components: flink-docker
>    Affects Versions: 1.13.1
>         Environment: Issue was discovered by AWS ECR image scanning on 
> apache/flink:1.13.1-scala_2.12
>            Reporter: Razvan AGAPE
>            Priority: Blocker
>              Labels: docker, flink, glibc
>             Fix For: 1.14.0, 1.13.3
>
>
> The AWS ECR image scanning reports some HIGH vulnerabilities on 
> apache/flink:1.13.1-scala_2.12 docker image. In addition, all versions prior 
> to this one have these issues.
> The vulnerabilities are the following:
>  # [CVE-2021-33574|https://security-tracker.debian.org/tracker/CVE-2021-33574]
>  # [CVE-2019-25013 - for this one a patch was been released in glibc versionĀ 
> 2.31-9|https://security-tracker.debian.org/tracker/CVE-2019-25013]
> Our security policy do not allow us to deploy images having security 
> vulnerabilities. Searching through the Internet I found that for the first 
> problem, a patch containing the solution will be release this year.
> Do you plan to release a new image containing the newer glibc version in 
> order to solve those issues?
> Also, I checked and the alpine based flink images do not have these 
> vulnerabilities. Do you plan to release newer versions of flink based on 
> alpine (latest one is flink:1.8.x)?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to