[
https://issues.apache.org/jira/browse/FLINK-27728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Márton Balassi closed FLINK-27728.
----------------------------------
Resolution: Fixed
Fixed via 65ea03c744347448f2592877cc98d85c6ea36ef4 in release-1.0 and
503673259213fdf78279bccec6c3d1edddabec0e in main.
> dockerFile build results in five vulnerabilities
> ------------------------------------------------
>
> Key: FLINK-27728
> URL: https://issues.apache.org/jira/browse/FLINK-27728
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-0.1.0
> Reporter: James Busche
> Assignee: James Busche
> Priority: Blocker
> Labels: pull-request-available
> Fix For: kubernetes-operator-1.0.0
>
>
> A Twistlock security scan of the default flink-kubernetes-operator currently
> shows five fixable vulnerabilities. One [~wangyang0918] and I are trying to
> fix in [FLINK-27654|https://issues.apache.org/jira/browse/FLINK-27654].
> The other four are easily addressable if we update the underlying OS. I'll
> propose a PR for this later this evening.
> The four vulnerabilities are:
> 1. packageName: gzip
> severity: Low
> cvss: 0
> riskFactors: Has fix,Recent vulnerability
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1271]
> Description: DOCUMENTATION: No description is available for this CVE.
> STATEMENT: This bug was introduced in gzip-1.3.10 and is relatively hard
> to exploit. Red Hat Enterprise Linux 6 was affected but Out of Support Cycle
> because gzip was not listed in Red Hat Enterprise Linux 6 ELS Inclusion List.
> [https://access.redhat.com/articles/4997301] MITIGATION: Red Hat
> has investigated whether possible mitigation exists for this issue, and has
> not been able to identify a practical example. Please update the affected
> package as soon as possible.
> 2. packageName: openssl
> severity: Critical
> cvss: 9.8
> riskFactors: Attack complexity: low,Attack vector: network,Critical
> severity,Has fix,Recent vulnerability
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1292]
> Description:
> The c_rehash script does not properly sanitise shell metacharacters to
> prevent command injection. This script is distributed by some operating
> systems in a manner where it is automatically executed. On such operating
> systems, an attacker could execute arbitrary commands with the privileges of
> the script. Use of the c_rehash script is considered obsolete and should be
> replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3
> (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected
> 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
> 3. packageName: zlib
> severity: High
> cvss: 7.5
> riskFactors: Attack complexity: low,Attack vector: network,Has fix,High
> severity
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2018-25032]
> Description: zlib before 1.2.12 allows memory corruption when deflating
> (i.e., when compressing) if the input has many distant matches.
> 4. packageName: openldap
> severity: Critical
> cvss: 9.8
> riskFactors: Attack complexity: low,Attack vector: network,Critical
> severity,Has fix,Recent vulnerability
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-29155]
> Description: In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL
> injection vulnerability exists in the experimental back-sql backend to slapd,
> via a SQL statement within an LDAP query. This can occur during an LDAP
> search operation when the search filter is processed, due to a lack of proper
> escaping.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
