CVE-2023-38545 and CVE-2023-38545 vulnerabilities #746
Comments
|
I got this: |
|
The above CVE does not impact AWS Fluent Bit use cases, as it is not used as a web server. These are marked as important and low severity. We typically only do re-builds for high/critical severity. |
|
@PettitWesley Is this solved with the 2.32.0 version? |
|
As patching becomes more important every day, why not do re-builds when flaws are found? I don't want to speak too confidently because I don't know how much work rebuilding the image is, but these flaws will still show up on security scorecards, even if they can't be exploited. |
|
Here's the info for Note the latest has zero vulns listed and stable has 81. A fresh lateststable |
|
Hi When are you planning to release a new version with these fixes? |
|
It's worth mentioning that both |
|
@jamespfluger-ava I'm working on trying to setup an automatic workflow to re-build and re-release the latest image for linux, as for example here: https://github.com/aws/aws-for-fluent-bit/releases/tag/v2.32.0.20240304
|
|
@PettitWesley I'd love an automatic workflow. For now I've switched to using Chainguard's image for aws-for-fluent-bit as that had zero CVEs at the time. Your points1 - Automating rebuilding the latest image is a good idea My thoughtsIdeally, rebuild the image if there's a new vuln found and rebuild the image (and if that doesn't fix it auto-create a new GitHub issue) Remember this:
|
|
Sorry, this is not relevant to the reported CVE, but its about rebuilding. aikido.dev reports CVE-2023-39323, CVE-2023-39325, CVE-2023-45285 and more because They use |
|
@eigan unfortunately, we had to lock go to 1.20.7 last year because of this issue which entirely stops Fluent Bit from Go plugins from working:
I haven't checked on this for a little while though and I will see if a newer go version resolves the issue. If not, I'll open a tracking issue for this. |
|
Also the trivy image scan in our pipeline is a good idea @jamespfluger-ava. Thanks. May be I should make the pipeline pull the latest re-build, scan it, if there are findings, then build a new image and release it. May be also check if the number of findings on the new re-build is lesser than the older one. |
|
@PettitWesley regarding the number of findings - that's a good idea, but I would go as far as to say to never release an image with critical or high findings. Of course low + mediums can always be strung together to perform an attack, but it's less likely than a high/critical. Appreciate y'all taken this seriously! |
|
@jamespfluger-ava @eigan I am not seeing any findings for our most recent rebuild from earlier this month: |
|
Also it seems go1.22 works with Fluent Bit go plugins, so we will upgrade to that in our next re-build release. |
|
Issue has been resolved in this link OS version |
|
fixed in #860 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Multiple security scanning tools reported that
aws-for-fluentbitdocker image might be vulnerable to the following vulnerability:Is there a schedule for a new release with a patched base image?
The text was updated successfully, but these errors were encountered: