We are using the self managed zeebe 8.5 version to execute workflows. One of our clients requested an application security scan through deep factor which scans running k8s containers.
We observed that there are 67 vulnerabilities (some of which I have attached as screenshots below). The elasticsearch bitnami container showed 1429 vulnerabilities.
With such high number of security issues, I would like to know how are others tackling such challenges when they deploy zeebe with elasticsearch in production. Are security scans done? If so what tools are used? If not how are application security compliance standards met?
I used the KeyCloak image 26.0.1 from Camunda and KeyCloak. Camunda has the same effect. But Keycloak image built from RedHat does not have HIGH vulnerabilities.
Hey @cpbpm and @jgeek1 - I was going through unanswered forum questions and stumbled on this one. I know it’s been a while, but here’s some info for you and any others that find this thread also:
Camunda does not maintain the third party images (Keycloak, Elastic, etc.). We do have certain versions of those product that we support, but changing the base image to a patch release that fixes the CVE generally shouldn’t be an issue.
If you have questions or concerns about whether a newer image would be supported, it is recommended to reach out to our support team.
If any vulnerability is found within a Camunda product, we again recommend reaching out to the support team directly; this is the fastest avenue for any support, and depending on what has been found, the support team can quickly escalate the issue with the product team. You can also monitor the GitHub repository for any related issues.
And finally, a reminder that this is a community forum, not an official support channel; we recommend reaching out to our support team for security related issues like this so you receive a timely response!