Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities for default kafka/zookeeper images #253

Open
ColeDearmon-Moore-at opened this issue Jan 28, 2025 · 1 comment
Open

Security vulnerabilities for default kafka/zookeeper images #253

ColeDearmon-Moore-at opened this issue Jan 28, 2025 · 1 comment
Assignees
@haorenfsa
Labels
enhancement New feature or request

Comments

@ColeDearmon-Moore-at
Copy link

Hey folks,
I noticed that the default images for these dependences (kafka 3.1.0, zookeeper 3.7.0) have several critical security vulnerabilities:

⇒  trivy image bitnami/kafka:3.1.0 --severity CRITICAL --ignore-unfixed
2025-01-27T16:53:34-08:00        INFO     [vuln] Vulnerability scanning is enabled
2025-01-27T16:53:34-08:00       INFO     [secret] Secret scanning is enabled
2025-01-27T16:53:34-08:00       INFO     [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-27T16:53:34-08:00       INFO     [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-27T16:53:35-08:00       INFO     Detected OS     family="debian" version="10.12"
2025-01-27T16:53:35-08:00       INFO     [debian] Detecting vulnerabilities...   os_version="10" pkg_num=106
2025-01-27T16:53:35-08:00       INFO     Number of language-specific files       num=4
2025-01-27T16:53:35-08:00       INFO     [gobinary] Detecting vulnerabilities...
2025-01-27T16:53:35-08:00       INFO     [jar] Detecting vulnerabilities...
2025-01-27T16:53:35-08:00       WARN     Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2025-01-27T16:53:35-08:00       WARN     This OS version is no longer supported by the distribution      family="debian" version="10.12"
2025-01-27T16:53:35-08:00       WARN     The vulnerability detection may be insufficient because security updates are not provided

bitnami/kafka:3.1.0 (debian 10.12)

Total: 19 (CRITICAL: 19)

┌────────────────┬────────────────┬──────────┬────────┬─────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │    Installed Version    │      Fixed Version      │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ curl           │ CVE-2022-32221 │ CRITICAL │ fixed  │ 7.64.0-4+deb10u2        │ 7.64.0-4+deb10u4        │ curl: POST following PUT confusion                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-32221                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ dpkg           │ CVE-2022-1664  │          │        │ 1.19.7                  │ 1.19.8                  │ Dpkg::Source::Archive in dpkg, the Debian package management │
│                │                │          │        │                         │                         │ system, b ...                                                │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-1664                    │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin       │ CVE-2021-33574 │          │        │ 2.28-10+deb10u1         │ 2.28-10+deb10u2         │ glibc: mq_notify does not handle separately allocated thread │
│                │                │          │        │                         │                         │ attributes                                                   │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-35942 │          │        │                         │                         │ glibc: Arbitrary read in wordexp()                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23218 │          │        │                         │                         │ glibc: Stack-based buffer overflow in svcunix_create via     │
│                │                │          │        │                         │                         │ long pathnames                                               │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23219 │          │        │                         │                         │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│                │                │          │        │                         │                         │ a long pathname                                              │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├────────────────┼────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│ libc6          │ CVE-2021-33574 │          │        │                         │                         │ glibc: mq_notify does not handle separately allocated thread │
│                │                │          │        │                         │                         │ attributes                                                   │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-35942 │          │        │                         │                         │ glibc: Arbitrary read in wordexp()                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23218 │          │        │                         │                         │ glibc: Stack-based buffer overflow in svcunix_create via     │
│                │                │          │        │                         │                         │ long pathnames                                               │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23219 │          │        │                         │                         │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│                │                │          │        │                         │                         │ a long pathname                                              │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl4       │ CVE-2022-32221 │          │        │ 7.64.0-4+deb10u2        │ 7.64.0-4+deb10u4        │ curl: POST following PUT confusion                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-32221                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libldap-2.4-2  │ CVE-2022-29155 │          │        │ 2.4.47+dfsg-3+deb10u6   │ 2.4.47+dfsg-3+deb10u7   │ openldap: OpenLDAP SQL injection                             │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-29155                   │
├────────────────┤                │          │        │                         │                         │                                                              │
│ libldap-common │                │          │        │                         │                         │                                                              │
│                │                │          │        │                         │                         │                                                              │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1      │ CVE-2022-1292  │          │        │ 1.1.1n-0+deb10u1        │ 1.1.1n-0+deb10u2        │ openssl: c_rehash script allows command injection            │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│                ├────────────────┤          │        │                         ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-2068  │          │        │                         │ 1.1.1n-0+deb10u3        │ openssl: the c_rehash script allows command injection        │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libtasn1-6     │ CVE-2021-46848 │          │        │ 4.13-3                  │ 4.13-3+deb10u1          │ libtasn1: Out-of-bound access in ETYPE_OK                    │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-46848                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl        │ CVE-2022-1292  │          │        │ 1.1.1n-0+deb10u1        │ 1.1.1n-0+deb10u2        │ openssl: c_rehash script allows command injection            │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│                ├────────────────┤          │        │                         ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-2068  │          │        │                         │ 1.1.1n-0+deb10u3        │ openssl: the c_rehash script allows command injection        │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ zlib1g         │ CVE-2022-37434 │          │        │ 1:1.2.11.dfsg-1+deb10u1 │ 1:1.2.11.dfsg-1+deb10u2 │ zlib: heap-based buffer over-read and overflow in inflate()  │
│                │                │          │        │                         │                         │ in inflate.c via a...                                        │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-37434                   │
└────────────────┴────────────────┴──────────┴────────┴─────────────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘

⇒  trivy image bitnami/zookeeper:3.7.0 --ignore-unfixed --severity CRITICAL
2025-01-27T18:50:32-08:00    INFO     [vuln] Vulnerability scanning is enabled
2025-01-27T18:50:32-08:00       INFO     [secret] Secret scanning is enabled
2025-01-27T18:50:32-08:00       INFO     [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-27T18:50:32-08:00       INFO     [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-27T18:50:45-08:00       INFO     Detected OS     family="debian" version="10.12"
2025-01-27T18:50:45-08:00       INFO     [debian] Detecting vulnerabilities...   os_version="10" pkg_num=108
2025-01-27T18:50:45-08:00       INFO     Number of language-specific files       num=3
2025-01-27T18:50:45-08:00       INFO     [gobinary] Detecting vulnerabilities...
2025-01-27T18:50:45-08:00       INFO     [jar] Detecting vulnerabilities...
2025-01-27T18:50:45-08:00       WARN     Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2025-01-27T18:50:45-08:00       WARN     This OS version is no longer supported by the distribution      family="debian" version="10.12"
2025-01-27T18:50:45-08:00       WARN     The vulnerability detection may be insufficient because security updates are not provided

bitnami/zookeeper:3.7.0 (debian 10.12)

Total: 19 (CRITICAL: 19)

┌────────────────┬────────────────┬──────────┬────────┬─────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │    Installed Version    │      Fixed Version      │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ curl           │ CVE-2022-32221 │ CRITICAL │ fixed  │ 7.64.0-4+deb10u2        │ 7.64.0-4+deb10u4        │ curl: POST following PUT confusion                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-32221                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ dpkg           │ CVE-2022-1664  │          │        │ 1.19.7                  │ 1.19.8                  │ Dpkg::Source::Archive in dpkg, the Debian package management │
│                │                │          │        │                         │                         │ system, b ...                                                │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-1664                    │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin       │ CVE-2021-33574 │          │        │ 2.28-10+deb10u1         │ 2.28-10+deb10u2         │ glibc: mq_notify does not handle separately allocated thread │
│                │                │          │        │                         │                         │ attributes                                                   │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-35942 │          │        │                         │                         │ glibc: Arbitrary read in wordexp()                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23218 │          │        │                         │                         │ glibc: Stack-based buffer overflow in svcunix_create via     │
│                │                │          │        │                         │                         │ long pathnames                                               │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23219 │          │        │                         │                         │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│                │                │          │        │                         │                         │ a long pathname                                              │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├────────────────┼────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│ libc6          │ CVE-2021-33574 │          │        │                         │                         │ glibc: mq_notify does not handle separately allocated thread │
│                │                │          │        │                         │                         │ attributes                                                   │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-35942 │          │        │                         │                         │ glibc: Arbitrary read in wordexp()                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23218 │          │        │                         │                         │ glibc: Stack-based buffer overflow in svcunix_create via     │
│                │                │          │        │                         │                         │ long pathnames                                               │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│                ├────────────────┤          │        │                         │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23219 │          │        │                         │                         │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│                │                │          │        │                         │                         │ a long pathname                                              │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl4       │ CVE-2022-32221 │          │        │ 7.64.0-4+deb10u2        │ 7.64.0-4+deb10u4        │ curl: POST following PUT confusion                           │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-32221                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libldap-2.4-2  │ CVE-2022-29155 │          │        │ 2.4.47+dfsg-3+deb10u6   │ 2.4.47+dfsg-3+deb10u7   │ openldap: OpenLDAP SQL injection                             │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-29155                   │
├────────────────┤                │          │        │                         │                         │                                                              │
│ libldap-common │                │          │        │                         │                         │                                                              │
│                │                │          │        │                         │                         │                                                              │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1      │ CVE-2022-1292  │          │        │ 1.1.1n-0+deb10u1        │ 1.1.1n-0+deb10u2        │ openssl: c_rehash script allows command injection            │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│                ├────────────────┤          │        │                         ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-2068  │          │        │                         │ 1.1.1n-0+deb10u3        │ openssl: the c_rehash script allows command injection        │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libtasn1-6     │ CVE-2021-46848 │          │        │ 4.13-3                  │ 4.13-3+deb10u1          │ libtasn1: Out-of-bound access in ETYPE_OK                    │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-46848                   │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl        │ CVE-2022-1292  │          │        │ 1.1.1n-0+deb10u1        │ 1.1.1n-0+deb10u2        │ openssl: c_rehash script allows command injection            │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│                ├────────────────┤          │        │                         ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-2068  │          │        │                         │ 1.1.1n-0+deb10u3        │ openssl: the c_rehash script allows command injection        │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
├────────────────┼────────────────┤          │        ├─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ zlib1g         │ CVE-2022-37434 │          │        │ 1:1.2.11.dfsg-1+deb10u1 │ 1:1.2.11.dfsg-1+deb10u2 │ zlib: heap-based buffer over-read and overflow in inflate()  │
│                │                │          │        │                         │                         │ in inflate.c via a...                                        │
│                │                │          │        │                         │                         │ https://avd.aquasec.com/nvd/cve-2022-37434                   │
└────────────────┴────────────────┴──────────┴────────┴─────────────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘

Are there newer versions of these packages that will work or are there known version compatibility issues?
@haorenfsa
Copy link
Collaborator

You could try change images to bitnami/kafka:3.8.1 & bitnami/zookeeper:3.8.4

@haorenfsa haorenfsa self-assigned this Feb 5, 2025
@haorenfsa haorenfsa added the enhancement New feature or request label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haorenfsa haorenfsa

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haorenfsa @ColeDearmon-Moore-at