Issue with latest image for kafka security vulnerabilities

[ashish-sourcefuse]

Name and Version

bitnami/kafka:3.1.2-debian-11-r47

What steps will reproduce the bug?

Please check the vulnerabilities that we are facing in the latest kafka docker image with it's latest version i.e bitnami/ kafka:3.1.2

I request you guys to please solve all these Critical and High vulns as we need this is required for our app to pass security checks.

Thanks in advance and looking forward to hear from you guys now.

PLEASE PLEASE PLEASE HELP OUT!

HERE are the vulnerability list that's needed to be resolved:
Docker_d120d40_Security_Export.csv

What is the expected behavior?

All Vulns should be fixed with latest versions.

What do you see instead?

lots of critical and high vulns

Additional information

Docker_d120d40_Security_Export.csv

[carrodher]

Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported. At the same time, no new version patching the issue in the OS or the application exists. Here you can find more info about this topic.

The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distros such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, RedHat UBI 8 & 9, or custom golden image) through the VMware Tanzu Application Catalog.

Please note it is important to use the latest revision in order to receive all the updates, using the latest one of the 3.1 branch (which will be deprecated once released Kafka 3.4) and the --ignore-unfixed flag, only some gosu CVEs wich are related to runc and are not affecting the software are reported (see upstream maintainers discussion about CVEs):

$ trivy image bitnami/kafka:3.1 --ignore-unfixed
2023-02-12T21:46:43.618+0100	INFO	Vulnerability scanning is enabled
2023-02-12T21:46:43.618+0100	INFO	Secret scanning is enabled
2023-02-12T21:46:43.618+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-12T21:46:43.618+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-12T21:46:45.711+0100	INFO	JAR files found
2023-02-12T21:46:54.849+0100	INFO	Detected OS: debian
2023-02-12T21:46:54.849+0100	INFO	Detecting Debian vulnerabilities...
2023-02-12T21:46:54.864+0100	INFO	Number of language-specific files: 3
2023-02-12T21:46:54.864+0100	INFO	Detecting gobinary vulnerabilities...

bitnami/kafka:3.1 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


opt/bitnami/common/bin/gosu (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH     │ v1.1.0            │ v1.1.2        │ runc: incorrect handling of inheritable capabilities       │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162                 │
│                                ├────────────────┼──────────┤                   │               ├────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769 │ MEDIUM   │                   │               │ moby: Default inheritable capabilities for linux container │
│                                │                │          │                   │               │ should be empty                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24769                 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

[carrodher]

Hi, we are glad to announce that we got rid of gosu in all Bitnami container images, so the false positives previously reported by some CVE scanners will not appear anymore:

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22

bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

opt/bitnami/common/bin/gosu (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH     │ v1.1.0            │ v1.1.2        │ runc: incorrect handling of inheritable capabilities       │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162                 │
│                                ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-27561 │          │                   │ v1.1.5        │ runc: volume mount race condition (regression of           │
│                                │                │          │                   │               │ CVE-2019-19921)                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561                 │
│                                ├────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769 │ MEDIUM   │                   │ v1.1.2        │ moby: Default inheritable capabilities for linux container │
│                                │                │          │                   │               │ should be empty                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24769                 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

VS

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23

bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

From now on, gosu functionalities were replaced by chroot. In this PR you can find an example of this implementation.