Security vulnerability with temporal and airbyte-worker images

Q&A
1

Hello,

Our security team detected the “CVE-2022-27664” vulnerability with temporal and airbyte-worker container images. These two images use golang 1.15.8(tctl, sql-tool, and temporal-server packages), 1.10(dockerize package), and 1.17.2(airbyte-worker). They are asking us to upgrade the golang version to 1.18.6. Could you please suggest how to upgrade these images? Currently, I deployed airbyte-0.39.35-alpha on gke.

Thanks
Naresh

2

Hello there! You are receiving this message because none of your fellow community members has stepped in to respond to your topic post. (If you are a community member and you are reading this response, feel free to jump in if you have the answer!) As a result, the Community Assistance Team has been made aware of this topic and will be investigating and responding as quickly as possible.
Some important considerations that will help your to get your issue solved faster:

  • It is best to use our topic creation template; if you haven’t yet, we recommend posting a followup with the requested information. With that information the team will be able to more quickly search for similar issues with connectors and the platform and troubleshoot more quickly your specific question or problem.
  • Make sure to upload the complete log file; a common investigation roadblock is that sometimes the error for the issue happens well before the problem is surfaced to the user, and so having the tail of the log is less useful than having the whole log to scan through.
  • Be as descriptive and specific as possible; when investigating it is extremely valuable to know what steps were taken to encounter the issue, what version of connector / platform / Java / Python / docker / k8s was used, etc. The more context supplied, the quicker the investigation can start on your topic and the faster we can drive towards an answer.
  • We in the Community Assistance Team are glad you’ve made yourself part of our community, and we’ll do our best to answer your questions and resolve the problems as quickly as possible. Expect to hear from a specific team member as soon as possible.

Thank you for your time and attention.
Best,
The Community Assistance Team

3

Hello Naresh, thank you for reporting this.

Can you please upgrade to the latest versions of the airbyte platform and check again? We’ve done some work recently on our base docker images to enhance our security rating baed on reports from Snyk monitoring.

cc @jerri-airbyte and @davinchia

1 Like
4

Thanks, @evantahler-airbyte, for the response. I will upgrade it to the latest version. Do you know if temporal or airbyte-worker uses any net/HTTP libraries?

5

Temporal is an OSS queue/background job service we use which is written in go, and likely does use net/http. airbyte-worker is a java application and doesn’t use any go libraries.