I’m currently looking at possibly migrating from a VM based checkmk solution, to a docker based one, and I’m looking at checkmk/check-mk-managed:2.3.0p46
Docker scout is saying it’s based off an ubuntu 22.04 image from 2 years ago, with a bunch of vulnerabilities embedded in it?
Is this just a misreport, or is it that far out of date?
appears to be the image used.
185 vulnerabilities found in 61 packages
CRITICAL 4
HIGH 31
MEDIUM 91
LOW 58
UNSPECIFIED 1
Hi Steve,
It’s correct that the image is based off Ubuntu 22.04, but the Ubuntu get’s updated when we build the image. For example, the most critical finding in the page you linked is gnupg in version <2.2.27-3ubuntu2.5; and the checkmk/check-mk-managed:2.3.0p46 ships gnupg 2.2.27-3ubuntu2.5, so the version with the fix.
In general, things that are fixed in the base image at the day we build and release the image will be fine. However, anything that is found and fixed after we release the image will remain vulnerable. So if you run via docker and are concerned about security, I would recommend using a newer version of Checkmk where the image is updated more regularly.
Hope that helps,
Hannes
ahh, gotcha.
scout’s highlighting a bunch of vulnerabilities, but I think most of them come from a very small number of packages.
3C 16H 26M 2L stdlib 1.20.14
pkg:golang/stdlib@1.20.14
for example. most of them are 2026 ones.
Thanks 