Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical security vulnerability in gelf dependencies #88

Open
bartoszkomin opened this issue Nov 29, 2019 · 1 comment
Open

Critical security vulnerability in gelf dependencies #88

bartoszkomin opened this issue Nov 29, 2019 · 1 comment

Comments

@bartoszkomin
Copy link

Hello,
we are using dockerized fluentd with fluent-plugin-gelf-hs which use also gelf-rb.
Our vulnerability scaner found CRITICAL: 2, MEDIUM: 21 and HIGH: 7 in gelf-3.1.0.
Can we kindly ask to upgrade dependencies to the new secure versions?

Steps to reproduce the issue:

  1. build docker image with Dockerfile
FROM fluent/fluentd:v1.7.4-1.0

# Use root account to use apk
USER root

# below RUN includes plugin as examples elasticsearch is not required
# you may customize including plugins as you wish
RUN apk add --no-cache --update --virtual .build-deps \
        sudo build-base ruby-dev \
 && apk add -U tzdata \
 && sudo gem install fluent-plugin-gelf-hs \
 && sudo gem sources --clear-all \
 && apk del .build-deps \
 && rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems/*/cache/*.gem

USER fluent

and build command docker build . -t fluentd-gelf

  1. scan image with dockerized trivy
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/cache:/root/.cache/ aquasec/trivy fluentd-gelf

Scan result for gelf is:

usr/lib/ruby/gems/2.5.0/gems/gelf-3.1.0/Gemfile.lock
====================================================
Total: 32 (UNKNOWN: 2, LOW: 0, MEDIUM: 21, HIGH: 7, CRITICAL: 2)

+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |        FIXED VERSION         |             TITLE              |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| json     | CVE-2013-0269    | HIGH     | 1.8.6-java        | >= 1.7.7                     | rubygem-json: Denial of        |
|          |                  |          |                   |                              | Service and SQL Injection      |
+          +                  +          +                   +------------------------------+                                +
|          |                  |          |                   | ~> 1.5.5, ~> 1.6.8, >= 1.7.7 |                                |
|          |                  |          |                   |                              |                                |
+          +------------------+----------+                   +------------------------------+--------------------------------+
|          | OSVDB-101157     | UNKNOWN  |                   | >= 1.1.0                     | json Gem for Ruby Data         |
|          |                  |          |                   |                              | Handling Stack Buffer Overflow |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| nokogiri | CVE-2016-4658    | CRITICAL | 1.6.8-java        | >= 1.7.1                     | libxml2: Use after free via    |
|          |                  |          |                   |                              | namespace node in XPointer     |
|          |                  |          |                   |                              | ranges                         |
+          +                  +          +-------------------+                              +                                +
|          |                  |          | 1.6.8             |                              |                                |
|          |                  |          |                   |                              |                                |
|          |                  |          |                   |                              |                                |
+          +------------------+----------+-------------------+------------------------------+--------------------------------+
|          | CVE-2019-5477    | HIGH     | 1.6.8-java        | >= 1.10.4                    | Rexical Command Injection      |
|          |                  |          |                   |                              | Vulnerability                  |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2019-11068   |          |                   | >= 1.10.3                    | libxslt: xsltCheckRead and     |
|          |                  |          |                   |                              | xsltCheckWrite routines        |
|          |                  |          |                   |                              | security bypass by crafted URL |
+          +                  +          +-------------------+                              +                                +
|          |                  |          | 1.6.8             |                              |                                |
|          |                  |          |                   |                              |                                |
|          |                  |          |                   |                              |                                |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2015-5312    |          | 1.6.8-java        | >= 1.6.7.1                   | libxml2: CPU exhaustion when   |
|          |                  |          |                   |                              | processing specially crafted   |
|          |                  |          |                   |                              | XML input                      |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2019-5477    |          | 1.6.8             | >= 1.10.4                    | Rexical Command Injection      |
|          |                  |          |                   |                              | Vulnerability                  |
+          +------------------+----------+-------------------+------------------------------+--------------------------------+
|          | CVE-2015-8806    | MEDIUM   | 1.6.8-java        | >= 1.6.8                     | libxml2: heap-buffer overread  |
|          |                  |          |                   |                              | in dict.c                      |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2019-13117   |          | 1.6.8             | >= 1.10.5                    | libxslt: an xsl number with    |
|          |                  |          |                   |                              | certain format strings could   |
|          |                  |          |                   |                              | lead to a...                   |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2018-8048    |          |                   | >= 1.8.3                     | rubygem-loofah: XSS            |
|          |                  |          |                   |                              | vulnerability due to unescaped |
|          |                  |          |                   |                              | comments within attributes by  |
|          |                  |          |                   |                              | libxml2                        |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2015-1819    |          | 1.6.8-java        | ~> 1.6.6.4, >= 1.6.7.rc4     | libxml2: denial of service     |
|          |                  |          |                   |                              | processing a crafted XML       |
|          |                  |          |                   |                              | document                       |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2018-14404   |          | 1.6.8             | >= 1.8.5                     | libxml2: NULL pointer          |
|          |                  |          |                   |                              | dereference in                 |
|          |                  |          |                   |                              | xpath.c:xmlXPathCompOpEval()   |
|          |                  |          |                   |                              | can allow attackers to cause   |
|          |                  |          |                   |                              | a...                           |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2015-7499    |          | 1.6.8-java        | >= 1.6.7.2                   | libxml2: Heap-based buffer     |
|          |                  |          |                   |                              | overflow in xmlGROW            |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-9050    |          | 1.6.8             | >= 1.8.1                     | libxml2: Heap-based buffer     |
|          |                  |          |                   |                              | over-read in function          |
|          |                  |          |                   |                              | xmlDictAddString               |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-5029    |          |                   | >= 1.7.2                     | chromium-browser: integer      |
|          |                  |          |                   |                              | overflow in libxslt            |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-15412   |          | 1.6.8-java        | >= 1.8.2                     | chromium-browser: use after    |
|          |                  |          |                   |                              | free in libxml                 |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-16932   |          |                   | >= 1.8.1                     | libxml2: Infinite recursion in |
|          |                  |          |                   |                              | parameter entities             |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-5029    |          |                   | >= 1.7.2                     | chromium-browser: integer      |
|          |                  |          |                   |                              | overflow in libxslt            |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-9050    |          |                   | >= 1.8.1                     | libxml2: Heap-based buffer     |
|          |                  |          |                   |                              | over-read in function          |
|          |                  |          |                   |                              | xmlDictAddString               |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2018-14404   |          |                   | >= 1.8.5                     | libxml2: NULL pointer          |
|          |                  |          |                   |                              | dereference in                 |
|          |                  |          |                   |                              | xpath.c:xmlXPathCompOpEval()   |
|          |                  |          |                   |                              | can allow attackers to cause   |
|          |                  |          |                   |                              | a...                           |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2018-8048    |          |                   | >= 1.8.3                     | rubygem-loofah: XSS            |
|          |                  |          |                   |                              | vulnerability due to unescaped |
|          |                  |          |                   |                              | comments within attributes by  |
|          |                  |          |                   |                              | libxml2                        |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-16932   |          | 1.6.8             | >= 1.8.1                     | libxml2: Infinite recursion in |
|          |                  |          |                   |                              | parameter entities             |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2019-13117   |          | 1.6.8-java        | >= 1.10.5                    | libxslt: an xsl number with    |
|          |                  |          |                   |                              | certain format strings could   |
|          |                  |          |                   |                              | lead to a...                   |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-15412   |          | 1.6.8             | >= 1.8.2                     | chromium-browser: use after    |
|          |                  |          |                   |                              | free in libxml                 |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2013-6460    |          | 1.6.8-java        | ~> 1.5.11, >= 1.6.1          | rubygem-nokogiri: DoS while    |
|          |                  |          |                   |                              | parsing XML documents          |
+          +------------------+          +                   +                              +--------------------------------+
|          | CVE-2013-6461    |          |                   |                              | rubygem-nokogiri: DoS while    |
|          |                  |          |                   |                              | parsing XML entities           |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2012-6685    |          |                   | >= 1.5.4                     | rubygem-nokogiri: XML eXternal |
|          |                  |          |                   |                              | Entity (XXE) flaw              |
+          +------------------+----------+                   +------------------------------+--------------------------------+
|          | OSVDB-118481     | UNKNOWN  |                   | >= 1.6.3                     | Nokogiri Gem for JRuby XML     |
|          |                  |          |                   |                              | Document Root Element Handling |
|          |                  |          |                   |                              | Memory Consumption Remote DoS  |
|          |                  |          |                   |                              | ...                            |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| rack     | CVE-2018-16471   | MEDIUM   | 1.6.4             | ~> 1.6.11, >= 2.0.6          | rubygem-rack: Cross-site       |
|          |                  |          |                   |                              | scripting (XSS) via `scheme`   |
|          |                  |          |                   |                              | method on `Rack::Request`      |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+

Thank you.
@ChristianWeissCG
Copy link

Thanks for the report, i hope it will be fixed fast.

@farvour farvour mentioned this issue Mar 4, 2020
Open
@bayars bayars mentioned this issue Oct 8, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bartoszkomin @ChristianWeissCG