[
https://issues.apache.org/jira/browse/FLINK-23221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chesnay Schepler reassigned FLINK-23221:
----------------------------------------
Assignee: Chesnay Schepler
> Docker image vulnerability
> --------------------------
>
> Key: FLINK-23221
> URL: https://issues.apache.org/jira/browse/FLINK-23221
> Project: Flink
> Issue Type: Improvement
> Components: flink-docker
> Affects Versions: 1.13.1
> Environment: Issue was discovered by AWS ECR image scanning on
> apache/flink:1.13.1-scala_2.12
> Reporter: Razvan AGAPE
> Assignee: Chesnay Schepler
> Priority: Critical
> Labels: docker, flink, glibc
> Fix For: 1.14.0, 1.13.3
>
>
> The AWS ECR image scanning reports some HIGH vulnerabilities on
> apache/flink:1.13.1-scala_2.12 docker image. In addition, all versions prior
> to this one have these issues.
> The vulnerabilities are the following:
> # [CVE-2021-33574|https://security-tracker.debian.org/tracker/CVE-2021-33574]
> # [CVE-2019-25013 - for this one a patch was been released in glibc versionĀ
> 2.31-9|https://security-tracker.debian.org/tracker/CVE-2019-25013]
> Our security policy do not allow us to deploy images having security
> vulnerabilities. Searching through the Internet I found that for the first
> problem, a patch containing the solution will be release this year.
> Do you plan to release a new image containing the newer glibc version in
> order to solve those issues?
> Also, I checked and the alpine based flink images do not have these
> vulnerabilities. Do you plan to release newer versions of flink based on
> alpine (latest one is flink:1.8.x)?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
