Customers may observe that container images delivered through Bitnami Secure Images report Critical or High severity CVEs and may question when they will be fixed.

The BSI CVE SLA is contingent on a fix being available from the upstream source.

• Fixes for CVEs categorized as Critical or High will be made available within 2 business days of a verified and stable fix being released by the upstream source.
• Fixes for Medium or Low severity CVEs will be made available within 30 business days of a verified and stable upstream fix.

Determine whether an upstream fix exists

Before escalating, verify the status of each CVE at the upstream source. Confirm whether a patched package has been released by the distribution maintainer.

• If no upstream fix exists, the SLA has not been breached. Configure BSI email/chat notifications so you are alerted when an updated image is delivered.
  • Configure Chat and Email Notifications
• If an upstream fix exists and 2 business days (Critical/High) or 30 business days (Medium/Low) have elapsed, open a support case with Broadcom.

Please reference the below docs for more information and let us know if you have any follow-up questions or concerns.

Bitnami Secure Images general FAQs

Reports