Application Security Scans Failing on Zeebe 8.5

We are using the self managed zeebe 8.5 version to execute workflows. One of our clients requested an application security scan through deep factor which scans running k8s containers.

We observed that there are 67 vulnerabilities (some of which I have attached as screenshots below). The elasticsearch bitnami container showed 1429 vulnerabilities.

With such high number of security issues, I would like to know how are others tackling such challenges when they deploy zeebe with elasticsearch in production. Are security scans done? If so what tools are used? If not how are application security compliance standards met?

It would be great to get some inputs.
Thanks.



Running the scan for different versions of Zeebe and keep you posted.

Ran the scan with trivy scanner for latest Camunda Zeebe/KeyCloak/ElasticSearch. The list seems to be higher.

I would recommend product team can take a look at these report.

Chart: Releases · camunda/camunda-platform-helm · GitHub

Did further research on this issue.

I used the KeyCloak image 26.0.1 from Camunda and KeyCloak. Camunda has the same effect. But Keycloak image built from RedHat does not have HIGH vulnerabilities.

For ElasticSearch, i tested with Elastic instead of Bitnami, found no High vulernabilities. Images attached.

@jgeek1, May be you can use alternate image from Elastic instead of Bitnami images.

@Camunda product team, any update on this security issue on bitnami images?

Hey @cpbpm and @jgeek1 - I was going through unanswered forum questions and stumbled on this one. I know it’s been a while, but here’s some info for you and any others that find this thread also:

  • Camunda does not maintain the third party images (Keycloak, Elastic, etc.). We do have certain versions of those product that we support, but changing the base image to a patch release that fixes the CVE generally shouldn’t be an issue.
  • If you have questions or concerns about whether a newer image would be supported, it is recommended to reach out to our support team.
  • If any vulnerability is found within a Camunda product, we again recommend reaching out to the support team directly; this is the fastest avenue for any support, and depending on what has been found, the support team can quickly escalate the issue with the product team. You can also monitor the GitHub repository for any related issues.

And finally, a reminder that this is a community forum, not an official support channel; we recommend reaching out to our support team for security related issues like this so you receive a timely response!

Thank you @nathan.loding for your reply. I am also like another user trying to help here.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.