Astronomer Certified Security

Overview

This page is the source of truth for any CVE (Common Vulnerabilities and Exposures) identified within any of our Astronomer Certified Images running Apache Airflow.

Currently, our officially supported Astronomer Certified images are listed in two places:

If you run on Astronomer Cloud or Enterprise, you can refer to our Airflow Versioning Doc for detailed guidelines on how to upgrade between Airflow versions on the platform.

Reporting Vulnerabilities and Security Concerns

Vulnerability reports for Astronomer Certified should be sent to security@astronomer.io. All security concerns, questions and requests should be directed here.

When we receive a request, our dedicated security team will evaluate and validate it. If we confirm a vulnerability, we’ll allocate internal resources towards identifying and publishing a resolution in an updated image. The timeline within which vulnerabilities are addressed will depend on the severity level of the vulnerability and its impact.

Once a resolution has been confirmed, we'll release it in the next major or minor Astronomer Certified image and publish details to this page in the section below.

Note: All other Airflow and product support requests should be directed to Astronomer's Support Portal, where our team's Airflow Engineers are ready to help.

Previously Announced Vulnerabilities

Apache Airflow Core

CVEDateVersions AffectedDescriptionRemediation
No CVE's core to Apache Airflow within any Astronomer Certified image identified at this time.

Astronomer Certified Docker Images

This section lists security related updates/mitigations in the Astronomer Certified docker images.

CVEDateComponentVersions AffectedDescriptionRemediation
CVE-2020-19672019-12-03OpenSSL
  • 1.10.7-1 to 1.10.7-8
  • 1.10.5-1 to 1.10.5-6
Server or client applications that call the SSLcheckchain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signaturealgorithmscert" TLS extension.

The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). (Details)
Use Docker image with one of the following AC Versions:
  • 1.10.7-10
  • 1.10.5-7
CVE-2019-161682019-09-09SQLiteAlpine Images with following AC Versions:
  • 1.10.7-1 to 1.10.7-8
  • 1.10.5-1 to 1.10.5-6
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." (Details)Use Docker image with one of the following AC Versions:
  • 1.10.7-10
  • 1.10.5-7