Security Vulnerabilities with Flink OpenJDK Docker Image

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security Vulnerabilities with Flink OpenJDK Docker Image

Daniel Moore
Hello All,

We have been implementing a solution using the Flink image from https://github.com/apache/flink-docker/blob/master/1.13/scala_2.12-java11-debian/Dockerfile and it got flagged by our image repository for 3 major security vulnerabilities:

CVE-2017-8804
CVE-2019-25013
CVE-2021-33574

All of these stem from the `glibc` packages in the `openjdk:11-jre` image.

We have a working image based on building Flink using the Amazon Corretto image - https://github.com/corretto/corretto-docker/blob/88df29474df6fc3f3f19daa8c5515d934f706cd0/11/jdk/al2/Dockerfile.  This works although there are  some issues related to linking `libjemalloc`.  Before we fully test this new image we wanted to reach out to the community for insight on the following questions:

1. Are these vulnerabilities captured in an issue yet?
2. If so, when could we except a new official image that contains the Debian fixes for these issues?
3. If not, how can we help contribute to a solution?
4. Are there officially supported non-Debian based Flink images?

We appreciate the insights and look forward to working with the community on a solution.