Title
#fleet
o

Ojas

08/23/2022, 4:24 AM
Guys there seem to be a critical vuln in the ECS deployment of fleet: The package
zlib
version
1.2.12-r1
was detected in
APK package manager
on a container image running
Alpine 3.16.0
is vulnerable to
CVE-2022-37434
, which exists in versions
\u003c 1.2.12-r2
.\n\nThe vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity:
Critical
([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity:
Critical
).\n\nThis vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)].\n\nThe vulnerability can be remediated by updating the package to version
1.2.12-r2
or higher,
5:10 AM
can we upgrade it without shutting down?
5:20 AM
Status reason CannotStartContainerError: ResourceInitializationError: failed to create new container runtime task: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: “apk update”: executable file not found Command [“apk update”] tried using the new task to run command bit says not found
zwass

zwass

08/23/2022, 3:32 PM
Luckily Fleet doesn't use
zlib
. The next version of Fleet (should be published today) will use the new
alpine
base image that should have the fix though. If you need it right now, or with a different Fleet version, you would need to build yourself from the Dockerfile.
o

Ojas

08/23/2022, 3:47 PM
if new version is coming then i guess i can hold for that. thanks 🙂