ECK operator 1.3 Security vulnerabilities

Hi Team,

I am using the ECK operator 1.3.0 version docker image to provision the Elastic cluster, when I run the security scan on the ECK docker image there are security vulnerabilities and all of them comes from Package type. I wanted to make sure if they are really exploitable or can I ignore if they are not exploitable. Also if want to update any security patches on the same how do I proceed on the same ?.
Any guide would really help. Thanks for help.

Below is the scan report which shows security vulnerabilities.

Hi @NK2812

In the future you can mail security@elastic.co with requests such as this.

There are a few things happening here, let me know if anything isn't clear in my response. This is a complex topic.

First, the packages. The current version of ECK is 1.5, we always suggest scanning the latest version as those containers will be the most updated packages. Elastic supports our products running within updated containers, you are welcome to run 'microdnf update' on the images to pull in the latest packages from Red Hat.

As for the package flaws themselves, I would not expect any of these to affect ECK. The ECK operator is a statically linked Go executable. It does not rely on operating system packages for its operation. None of these package should pose any threat to your infrastructure.

Let me know if you have any questions

Hi @joshbressers

Thank you so much for the reply. I have sent a mail to security@elastic.co about the same.

I tried to scan the 1.5 version image, even it has all the vulnerabilities which 1.3 has.

Below is scan report for 1.5 version.