Multiple Critical Vulnerabilities in dremio-oss:23.1..0

ajsalow · January 10, 2023, 8:32pm

Grype output… having to trim the output because is is way over the character limit, but you get the point.

grype docker.io/dremio/dremio-oss:23.1.0
 ✔ Vulnerability DB        [no update available]
New version of grype is available: 0.55.0 (currently running: 0.48.0)
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [1348 packages]
 ✔ Scanned image           [889 vulnerabilities]
NAME                               INSTALLED                                   FIXED-IN                 TYPE          VULNERABILITY        SEVERITY   
avatica-core                       1.18.0                                      1.22.0                   java-archive  GHSA-w7f5-jrpr-5c2m  High        
avatica-core                       1.18.0                                                               java-archive  CVE-2020-13955       Medium      
avatica-core                       1.18.0                                                               java-archive  CVE-2022-39135       Critical    
avatica-metrics                    1.18.0                                                               java-archive  CVE-2020-13955       Medium      
avatica-metrics                    1.18.0                                                               java-archive  CVE-2022-39135       Critical    
avro                               1.8.2                                                                java-archive  CVE-2021-43045       High        
avro                               1.7.7                                                                java-archive  CVE-2021-43045       High        
avro                               1.10.1                                                               java-archive  CVE-2021-43045       High        
avro-guava-dependencies            1.8.2                                                                java-archive  CVE-2021-43045       High        
avro-mapred                        1.8.2                                                                java-archive  CVE-2021-43045       High        
avro-mapred                        1.7.7                                                                java-archive  CVE-2021-43045       High        
aws-java-sdk-s3                    1.12.75                                     1.12.261                 java-archive  GHSA-c28r-hw5m-5gv3  High        
aws-java-sdk-s3                    1.11.761                                    1.12.261                 java-archive  GHSA-c28r-hw5m-5gv3  High        
flatbuffers-java                   1.12.0                                                               java-archive  CVE-2020-35864       High        
gpgv                               2.2.27-3ubuntu2.1                                                    deb           CVE-2022-3219        Low         
guava                              11.0.2                                                               java-archive  CVE-2020-8908        Low         
guava                              11.0.2                                                               java-archive  GHSA-5mg8-w23w-74h3  Low         
guava                              13.0.1                                                               java-archive  CVE-2020-8908        Low         
guava                              13.0.1                                                               java-archive  CVE-2018-10237       Medium      
guava                              13.0.1                                      24.1.1                   java-archive  GHSA-mvr2-9pj6-7w5j  Medium      
guava                              11.0.2                                      24.1.1                   java-archive  GHSA-mvr2-9pj6-7w5j  Medium      
guava                              11.0.2                                                               java-archive  CVE-2018-10237       Medium      
guava                              13.0.1                                                               java-archive  GHSA-5mg8-w23w-74h3  Low         
hadoop-annotations                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-annotations                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-annotations                 2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-annotations                 2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-annotations                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-annotations                 2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-annotations                 2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-annotations                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-annotations                 2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-auth                        2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-auth                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-auth                        2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-auth                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-auth                        2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-auth                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-auth                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-auth                        2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-auth                        2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-aws                         3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-aws                         3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-aws                         3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-aws                         3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-aws                         2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-aws                         2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-aws                         2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-aws                         2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-aws                         2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-azure                       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-azure                       2.8.5-dremio-r2-202106241733540604-acdda22                           java-archive  CVE-2020-9492        High        
hadoop-azure                       2.8.5-dremio-r2-202106241733540604-acdda22                           java-archive  CVE-2021-33036       High        
hadoop-azure                       2.8.5-dremio-r2-202106241733540604-acdda22                           java-archive  CVE-2022-26612       Critical    
hadoop-azure                       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-azure                       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-azure                       2.8.5-dremio-r2-202106241733540604-acdda22                           java-archive  CVE-2022-25168       Critical    
hadoop-azure                       2.8.5-dremio-r2-202106241733540604-acdda22                           java-archive  CVE-2018-11765       High        
hadoop-azure                       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-azure-datalake              3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-azure-datalake              3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-azure-datalake              2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-azure-datalake              2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-azure-datalake              2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-azure-datalake              3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-azure-datalake              2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-azure-datalake              3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-azure-datalake              2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-client                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-client                      2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-client                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-client                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-client                      2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-client                      2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-client                      2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-client                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-client                      2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-common                      3.3.2-dremio-202207041927090255-61c2bd1     3.3.2                    java-archive  GHSA-rmpj-7c96-mrg8  Critical    
hadoop-common                      2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-common                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-common                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-common                      2.8.5                                       2.10.2                   java-archive  GHSA-8wm5-8h9c-47pc  Critical    
hadoop-common                      2.8.5                                       2.10.1                   java-archive  GHSA-f8vc-wfc8-hxqh  High        
hadoop-common                      2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-common                      3.3.2-dremio-202207041927090255-61c2bd1     3.3.3                    java-archive  GHSA-8wm5-8h9c-47pc  Critical    
hadoop-common                      2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-common                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-common                      3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-common                      2.8.5                                       2.10.2                   java-archive  GHSA-rmpj-7c96-mrg8  Critical    
hadoop-common                      2.8.5                                       3.2.3                    java-archive  GHSA-gx2c-fvhc-ph4j  Critical    
hadoop-common                      2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-common                      2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-hdfs                        2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-hdfs                        2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-hdfs                        2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-hdfs                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-hdfs                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-hdfs                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-hdfs                        2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-hdfs                        3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-hdfs                        2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-hdfs-client                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-hdfs-client                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-hdfs-client                 2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-hdfs-client                 2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-hdfs-client                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-hdfs-client                 3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-hdfs-client                 2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-hdfs-client                 2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-hdfs-client                 2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-mapreduce-client-app        2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-mapreduce-client-app        2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-mapreduce-client-app        2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-mapreduce-client-app        2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-mapreduce-client-app        2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-mapreduce-client-common     3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-mapreduce-client-common     3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
hadoop-mapreduce-client-common     2.8.5                                                                java-archive  CVE-2018-11765       High        
hadoop-mapreduce-client-common     3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-mapreduce-client-common     2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-mapreduce-client-common     2.8.5                                                                java-archive  CVE-2021-33036       High        
hadoop-mapreduce-client-common     3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-33036       High        
hadoop-mapreduce-client-common     2.8.5                                                                java-archive  CVE-2022-25168       Critical    
hadoop-mapreduce-client-common     2.8.5                                                                java-archive  CVE-2022-26612       Critical    
hadoop-mapreduce-client-core       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2022-25168       Critical    
hadoop-mapreduce-client-core       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-25642       High        
hadoop-mapreduce-client-core       2.8.5                                                                java-archive  CVE-2020-9492        High        
hadoop-mapreduce-client-core       3.3.2-dremio-202207041927090255-61c2bd1                              java-archive  CVE-2021-37404       Critical    
jackson-databind                   2.4.0                                       2.8.11                   java-archive  GHSA-h592-38cm-4ggp  Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-11307       Critical    
jackson-databind                   2.4.0                                       2.9.10.7                 java-archive  GHSA-5949-rw7g-wx7w  High        
jackson-databind                   2.4.0                                       2.9.10                   java-archive  GHSA-85cw-hj65-qqv9  Critical    
jackson-databind                   2.13.2.2                                    2.13.4.1                 java-archive  GHSA-jjjh-jjxp-wpff  High        
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-f9xh-2qgp-cq57  High        
jackson-databind                   2.4.0                                       2.12.7.1                 java-archive  GHSA-rgv9-q543-rqg4  High        
jackson-databind                   2.6.3                                       2.9.9.2                  java-archive  GHSA-gwp4-hfv6-p7hw  High        
jackson-databind                   2.6.3                                       2.9.10.4                 java-archive  GHSA-p43x-xfjf-5jhr  Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2019-17531       Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2020-10673       High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2019-16942       Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2019-14540       Critical    
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-r3gr-cxrf-hg25  High        
jackson-databind                   2.6.3                                       2.9.10.1                 java-archive  GHSA-fmmc-742q-jg75  Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-14718       Critical    
jackson-databind                   2.6.3                                       2.9.10.1                 java-archive  GHSA-gjmw-vf9h-g25v  Critical    
jackson-databind                   2.4.0                                       2.8.11                   java-archive  GHSA-w3f4-3q6j-rh82  High        
jackson-databind                   2.4.0                                       2.6.7.4                  java-archive  GHSA- 
jackson-databind                   2.6.3                                       2.9.10.7                 java-archive  GHSA-5949-rw7g-wx7w  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2022-42003       High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2020-35490       High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2019-16943       Critical    
jackson-databind                   2.6.3                                       2.9.9.1                  java-archive  GHSA-cmfg-87vq-g5g4  Medium      
jackson-databind                   2.6.3                                       2.6.7.4                  java-archive  GHSA-288c-cq4h-88gq  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2017-17485       Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-14721       Critical    
jackson-databind                   2.4.0                                       2.9.9.1                  java-archive  GHSA-mph4-vhrx-mv67  Medium      
jackson-databind                   2.4.0                                       2.6.7.5                  java-archive  GHSA-qjw2-hr98-qgfh  High        
jackson-databind                   2.4.0                                       2.9.10.4                 java-archive  GHSA-fqwf-pjwf-7vqv  Medium      
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-9m6f-7xcq-8vf8  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-14720       Critical    
jackson-databind                   2.6.3                                       2.9.10.4                 java-archive  GHSA-rpr3-cw39-3pxh  High        
jackson-databind                   2.6.3                                       2.7.9.4                  java-archive  GHSA-qr7j-h6gg-jmgc  Critical    
jackson-databind                   2.6.3                                       2.6.7.4                  java-archive  GHSA-gww7-p5w4-wrfv  Critical    
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-m6x4-97wx-4q27  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-7489        Critical    
jackson-databind                   2.6.3                                       2.9.10.1                 java-archive  GHSA-mx7p-6679-8g3q  Critical    
jackson-databind                   2.6.3                                       2.8.11                   java-archive  GHSA-w3f4-3q6j-rh82  High        
jackson-databind                   2.4.0                                       2.12.7.1                 java-archive  GHSA-jjjh-jjxp-wpff  High        
jackson-databind                   2.6.3                                       2.9.10                   java-archive  GHSA-85cw-hj65-qqv9  Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-19362       Critical    
jackson-databind                   2.6.3                                       2.7.9.5                  java-archive  GHSA-645p-88qh-w398  Critical    
jackson-databind                   2.4.0                                       2.9.10.4                 java-archive  GHSA-q93h-jc49-78gg  Critical    
jackson-databind                   2.4.0                                       2.9.10.6                 java-archive  GHSA-h3cw-g4mq-c5x2  High        
jackson-databind                   2.4.0                                       2.9.9.2                  java-archive  GHSA-gwp4-hfv6-p7hw  High        
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-9m6f-7xcq-8vf8  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-5968        High        
jackson-databind                   2.4.0                                       2.9.10.1                 java-archive  GHSA-gjmw-vf9h-g25v  Critical    
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-r695-7vr9-jgc2  High        
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-9gph-22xh-8x98  High        
jackson-databind                   2.13.2                                                               java-archive  CVE-2020-36518       High        
jackson-databind                   2.4.0                                       2.9.10.4                 java-archive  GHSA-p43x-xfjf-5jhr  Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2020-25649       High        
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-89qr-369f-5m5x  High        
jackson-databind                   2.4.0                                       2.9.10                   java-archive  GHSA-f3j5-rmmp-3fc5  Critical    
jackson-databind                   2.13.2                                      2.13.4                   java-archive  GHSA-rgv9-q543-rqg4  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2018-19360       Critical    
jackson-databind                   2.6.3                                       2.8.11                   java-archive  GHSA-h592-38cm-4ggp  Critical    
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-8w26-6f25-cm9x  High        
jackson-databind                   2.4.0                                       2.6.7.4                  java-archive  GHSA-gww7-p5w4-wrfv  Critical    
jackson-databind                   2.4.0                                       2.6.7.4                  java-archive  GHSA-4w82-r329-3q67  Critical    
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-cvm9-fjm9-3572  High        
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-m6x4-97wx-4q27  High        
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-f9xh-2qgp-cq57  High        
jackson-databind                   2.6.3                                                                java-archive  CVE-2020-35491       High        
jackson-databind                   2.4.0                                       2.9.10                   java-archive  GHSA-h822-r4r5-v8jg  Critical    
jackson-databind                   2.6.3                                                                java-archive  CVE-2019-14379       Critical    
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-cvm9-fjm9-3572  High        
jackson-databind                   2.4.0                                       2.7.9.4                  java-archive  GHSA-cjjf-94ff-43w7  High        
jackson-databind                   2.6.3                                       2.9.10.8                 java-archive  GHSA-8w26-6f25-cm9x  High        
jackson-databind                   2.4.0                                                                java-archive  CVE-2022-42004       High        
jackson-databind                   2.4.0                                       2.9.10.4                 java-archive  GHSA-rpr3-cw39-3pxh  High        
jackson-databind                   2.4.0                                                                java-archive  CVE-2018-7489        Critical    
jackson-databind                   2.4.0                                       2.9.9.2                  java-archive  GHSA-6fpp-rgj9-8rwc  Critical    
jackson-databind                   2.4.0                                                                java-archive  CVE-2020-35490       High        
jackson-databind                   2.4.0                                       2.9.10.8                 java-archive  GHSA-

sirkubax · June 21, 2023, 8:39am

Hi

I have the same issue with the scanner for 24.0.0

eg CVE-2018-14721
Seems that the scanner should ignore that and other issues dremio-oss/tools/build-tools/src/main/resources/dremio-owasp/suppressions.xml at master · dremio/dremio-oss · GitHub

Thet should be supressed according to https:// jeremylong.github. io/DependencyCheck/general/suppression. html

I have the same issue with zookeeper 3.8.0

eg CVE-2021-38297

github.com/bitnami/containers

CVE-2021-38297 and CVE-2022-23806 caused by old go lib (gosu)

opened 04:28PM - 09 Nov 22 UTC

closed 02:25AM - 06 Dec 22 UTC

ThomasKroghMortensen

stale tech-issues triage solved redis

### Name and Version bitnami/redis:7.0.5-debian-11-r16 ### What steps will… reproduce the bug? ```console $ docker run --rm --entrypoint '' bitnami/redis:7.0.5-debian-11-r16 /opt/bitnami/common/bin/gosu --version 1.14 (go1.16.7 on linux/amd64; gc) ``` ### Are you using any custom parameters or values? No ### What is the expected behavior? ```console $ docker run --rm --entrypoint '' bitnami/redis:7.0.5-debian-11-r16 /opt/bitnami/common/bin/gosu --version 1.xx (**go1.16.9** on linux/amd64; gc) ``` gosu lib should be updated to at least go1.16.9 description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.", As indicated in [CVE-2021-38297](https://security-tracker.debian.org/tracker/CVE-2021-38297) and [CVE-2022-23806](https://security-tracker.debian.org/tracker/CVE-2022-23806) ### What do you see instead? ```console $ docker run --rm --entrypoint '' bitnami/redis:7.0.5-debian-11-r16 /opt/bitnami/common/bin/gosu --version 1.14 (**go1.16.7** on linux/amd64; gc) ``` ### Additional information ```yaml vulnerabilities" : [{ "id" : "CVE-2021-38297", "status" : "fixed in 1.17.2, 1.16.9", "cvss" : 9.8, "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "description" : "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.", "severity" : "critical", "packageName" : "go", "packageVersion" : "1.16.7", "link" : "[https://nvd.nist.gov/vuln/detail/CVE-2021-38297"](https://nvd.nist.gov/vuln/detail/CVE-2021-38297%22), "riskFactors" : [ "Critical severity", "Has fix", "Recent vulnerability", "Attack complexity: low", "Attack vector: network" ], "impactedVersions" : [ "<1.16.9" ], "publishedDate" : "2021-10-18T06:15:00Z", "discoveredDate" : "2022-11-04T23:04:27Z", "fixDate" : "2021-10-18T06:15:00Z", "layerTime" : "1970-01-01T00:00:00Z" }] ```

where based on a comment it is irrevelant…
https:/ /github. com/tianon/gosu/issues/ 104

https:/ /zookeeper.apache. org/security. html

Does not make my life easier

PS: “new users can put only 2 links in the post” so if you have to copy-paste links, say thanks to the Dremio Team

balaji.ramaswamy · June 26, 2023, 10:37pm

We take security issues very seriously at Dremio. If there is an exploitable security issue, we resolve them within our internal security SLAs based on severity/priority. In case of non exploitable security issues for the third party libraries, we always try to update it to the latest possible version at regular cadence. Please always update to latest Dremio version
To know more about security at Dremio:

Topic		Replies	Views
Security vulnerabilities on dremio/dremio-oss image	4	1908	December 17, 2021
Multiple CVEs in Dremio OSS dependencies	1	19	October 18, 2024
Vulnerable 3rd party jars found in dremio 24.2.6	1	307	January 18, 2024
Does Dremio have a list of know false positive security findings in its dependencies?	4	1383	June 9, 2023
Vulnerable 3rd party components found in docker Image: dremio:24.0	2	625	August 8, 2023

Multiple Critical Vulnerabilities in dremio-oss:23.1..0

Related topics