Security vulnerabilities in fluent-bit 2.0.9

[lrsy]

Hi,

There are multiple security vulnerabilities in fluent-bit 2.0.9. Trivy shows 7 critical and 190 high ones. Some of them refer to the same CVE, in multiple modules.

The critical ones are the following:
VulnerabilityID | PkgID | PkgName | InstalledVersion
CVE-2021-4048 | [email protected] | libblas3 | 3.9.0-3
CVE-2019-8457 | [email protected]+dfsg1-0.8 | libdb5.3 | 5.3.28+dfsg1-0.8
CVE-2021-29921 | [email protected] | libpython3.9 | 3.9.2-1
CVE-2021-29921 | [email protected] | libpython3.9-minimal | 3.9.2-1
CVE-2021-29921 | [email protected] | libpython3.9-stdlib | 3.9.2-1
CVE-2021-29921 | [email protected] | python3.9 | 3.9.2-1
CVE-2021-29921 | [email protected] | python3.9-minimal | 3.9.2-1

Can you please let me know if there is any plan in addressing these?

Thank you

[leonardo-albertovich]

None of those vulnerabilities affect fluent-bit per se, the container image for fluent-bit 2.0.9 might include those libraries but the system itself is not exposed at all to them.

One thing I would ask for the future is to validate these types of results so we can have a constructive conversation about them if applicable.

[lrsy]

Hi,
Thank you for your reply. They might not impact fluent-bit itself, but they are flagged by a security scanner, like Trivy. To me this would mean they're introduced to a product using fluent-bit, and exposing the product to vulnerabilities, even though fluent-bit itself might not be impacted.
I'm open to suggestions, if you have some, how to avoid having them identified by Trivy...
Thank you

[leonardo-albertovich]

I think when the next version is released the container image will be updated and that one will not trip the scanner.
However, just to be clear, considering that the only exposed ports in that instance are the ones fluent-bit manages and that there should be no other ways of reaching the operating system or services I don't consider that this would effectively increase the attack surface at all.

I understand the importance of having the scanner green light the image but I want that point to be clear, if you are aware of a way to reach anything that could be vulnerable then please report that, I would be more than happy to help.

[lrsy]

Hi,

Thanks, looking forward to the next container image. And no, I'm not aware of any way to exploit the vulnerabilities, otherwise I would have had reported them through a different channel.

[emadmohammedelbieh]

Hello,

I work for IBM in the Open Source Support department, we work as partner for FluentBit for our clients and we do provide technical support and advises.

There is a client asks us this question:
The selective control on certain metric types features for both Linux and Windows were developed by the community and will be ready in Fluent Bit v2.1.x.
#6737
#6766
As far as we can tell there is no release date yet for the enclosed , we need to apply this to thousands of SAN connected servers and the scheduling cannot be implemented without a release date

IBM Case ID:
TS012435500

So may I know what is roughly the release date for Fluent Bit v2.1 ? and what new features it will have?