On Wed, Jan 6, 2021 at 1:06 AM Matt Wilder <matt.wilder@bitmex.com> wrote:
I took a look at your scan results.

All of the CRITICAL vulnerabilities listed are for samba related libraries and reference the same CVE (https://avd.aquasec.com/nvd/cve-2020-1472), which is about the domain controller part of samba, and therefore does not affect Ceph.

Of the HIGH vulnerabilities listed:
sqlite-libs - https://avd.aquasec.com/nvd/cve-2019-5827 is specifically about chromium-browser, so Ceph is not affected.
lodash - https://avd.aquasec.com/nvd/cve-2020-8203 is about distributed tracing, so Ceph MIGHT be affected if you are using this feature, or it might not.  Someone with more context on this would need to weigh in.  https://www.npmjs.com/advisories/1523 seems to reference the same thing.
The moral of the story here is that these security scanners do a very simple check for CVEs against software versions installed inside a package.  The affected libraries should definitely be upgraded, but just because a scanner like this registers a vulnerability is not an absolute indicator that a given service is actually vulnerable.

agree with your point, I have similar point of view, cc'ing Mona if s/he has any further query.
Thanks Matt!
On Tue, Jan 5, 2021 at 7:56 AM Deepika Upadhyay <dupadhya@redhat.com> wrote:

---------- Forwarded message ---------
From: Minor, Mona <Mona.Minor@unisys.com>
Date: Tue, Dec 29, 2020 at 8:15 PM
Subject: how to fix ceph vulnerability
To: dupadhya@redhat.com <dupadhya@redhat.com>

Hi Deepika,

I am working on a project where I need storage for my kubernetes pods.
I am looking to get the storage from ceph cluster.
ceph is very nice tool for completing most of the storage requirements.

but, I am in doubt to proceed ahead as I found that ceph is “vulnerable”.
I tried to setup cluster with cephadm tool as well as ceph-ansible tool as well. After then that I also tried ceph with rook as well.
the image that’s available on docker hub (ceph/ceph) that doesn’t having any Dockerfile.
I scanned the ceph:v15.xx image with “trivy”, and its generated report with some vulnerability (with HIGH , CRITICAL ).

I am interested to get any ceph image that is not vulnerable.
please let me know if any image is available or any process that I have to follow for getting ceph image that is not vulnerable.

For your reference I have attached generated trivy report for ceph. Kindly have a look on them

Thank You and Regards,

Mona Minor


Dev mailing list -- dev@ceph.io
To unsubscribe send an email to dev-leave@ceph.io

This e-mail and all information in, attached to, or linked via this e-mail (together the ‘e-mail’) is confidential and may be legally privileged. It is intended solely for the intended addressee(s). Access to, or any onward transmission, of this e-mail by any other person is not authorised. If you are not the intended recipient, you are requested to immediately alert the sender of this e-mail and to immediately delete this e-mail. Any disclosure in any form of all or part of this e-mail, or of any the parties to it, including any copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. 

This e-mail is not, and is not intended to be, and should not be construed as being, (a) any offer, solicitation, or promotion of any kind; (b) the basis of any investment or other decision(s);  (c) any recommendation to buy, sell or transact in any manner any good(s), product(s) or service(s), nor engage in any investment(s) or other transaction(s) or activities;  or (d) the provision of, or related to, any advisory service(s) or activities, including regarding any investment, tax, legal, financial, accounting, consulting or any other related service(s).