How to update the packages that are part of PMM Client's base docker image?

Percona Monitoring and Management (PMM) PMM 2.x
1

Description:

I’m using PMM v2.41.2 but I found that there are many vulnerability on the PMM Client docker image. So, I tried to run package manager of base docker image but I couldn’t find such things like yum, dnf and microdnf. How to fix the vulnerabilities of PMM Client docker image? I could upgrade the PMM to version of latest but still there is no package manager so that I couldn’t fix the vulnerabilities by myself in future.

Steps to Reproduce:

Run vulnerability scanner like trivy against PMM Client docker image.

Version:

v2.41.2

Logs:

Total: 6 (HIGH: 6, CRITICAL: 0)

┌────────────────────────┬────────────────┬──────────┬────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │ Installed Versi               Title                          │
├────────────────────────┼────────────────┼──────────┼────────┼──────────────────────────────────────────────────────────────┤
│ glibc                  │ CVE-2024-2961  │ HIGH     │ fixed  │ 2.34-83.el9_3.7t of bounds write in iconv may lead to remote │
│                        │                │          │        │                                                              │
│                        │                │          │        │                vd.aquasec.com/nvd/cve-2024-2961              │
│                        ├────────────────┤          │        │                ──────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                ack-based buffer overflow in netgroup cache   │
│                        │                │          │        │                vd.aquasec.com/nvd/cve-2024-33599             │
├────────────────────────┼────────────────┤          │        │                ──────────────────────────────────────────────┤
│ glibc-common           │ CVE-2024-2961  │          │        │                t of bounds write in iconv may lead to remote │
│                        │                │          │        │                                                              │
│                        │                │          │        │                vd.aquasec.com/nvd/cve-2024-2961              │
│                        ├────────────────┤          │        │                ──────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                ack-based buffer overflow in netgroup cache   │
│                        │                │          │        │                vd.aquasec.com/nvd/cve-2024-33599             │
├────────────────────────┼────────────────┤          │        │                ──────────────────────────────────────────────┤
│ glibc-minimal-langpack │ CVE-2024-2961  │          │        │                t of bounds write in iconv may lead to remote │
│                        │                │          │        │                                                              │
│                        │                │          │        │                vd.aquasec.com/nvd/cve-2024-2961              │
│                        ├────────────────┤          │        │                ──────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                ack-based buffer overflow in netgroup cache   │
│                        │                │          │        │                vd.aquasec.com/nvd/cve-2024-33599             │
└────────────────────────┴────────────────┴──────────┴────────┴──────────────────────────────────────────────────────────────┘

Expected Result:

I would like to fix the vulnerabilities by myself.

Actual Result:

I couldn’t fix the vulnerabilities by myself as there is no package manager.

Additional Information:

N/A

2

Hi @chadr,
This should already be fixed in our latest version as we have already received reports about it: Log in with Atlassian account.
So please upgrade, use the new images, and let us know if the problem still exists for you.

3

This is unsupported behavior. Please upgrade the entire container image. We try our very best to release updated PMM images when CVEs are discovered.