Hello,
we are using dockerized fluentd with fluent-plugin-gelf-hs which use also gelf-rb.
Our vulnerability scaner found CRITICAL: 2, MEDIUM: 21 and HIGH: 7 in gelf-3.1.0.
Can we kindly ask to upgrade dependencies to the new secure versions?
Steps to reproduce the issue:
- build docker image with Dockerfile
FROM fluent/fluentd:v1.7.4-1.0
# Use root account to use apk
USER root
# below RUN includes plugin as examples elasticsearch is not required
# you may customize including plugins as you wish
RUN apk add --no-cache --update --virtual .build-deps \
sudo build-base ruby-dev \
&& apk add -U tzdata \
&& sudo gem install fluent-plugin-gelf-hs \
&& sudo gem sources --clear-all \
&& apk del .build-deps \
&& rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems/*/cache/*.gem
USER fluent
and build command docker build . -t fluentd-gelf
- scan image with dockerized trivy
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/cache:/root/.cache/ aquasec/trivy fluentd-gelf
Scan result for gelf is:
usr/lib/ruby/gems/2.5.0/gems/gelf-3.1.0/Gemfile.lock
====================================================
Total: 32 (UNKNOWN: 2, LOW: 0, MEDIUM: 21, HIGH: 7, CRITICAL: 2)
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| json | CVE-2013-0269 | HIGH | 1.8.6-java | >= 1.7.7 | rubygem-json: Denial of |
| | | | | | Service and SQL Injection |
+ + + + +------------------------------+ +
| | | | | ~> 1.5.5, ~> 1.6.8, >= 1.7.7 | |
| | | | | | |
+ +------------------+----------+ +------------------------------+--------------------------------+
| | OSVDB-101157 | UNKNOWN | | >= 1.1.0 | json Gem for Ruby Data |
| | | | | | Handling Stack Buffer Overflow |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| nokogiri | CVE-2016-4658 | CRITICAL | 1.6.8-java | >= 1.7.1 | libxml2: Use after free via |
| | | | | | namespace node in XPointer |
| | | | | | ranges |
+ + + +-------------------+ + +
| | | | 1.6.8 | | |
| | | | | | |
| | | | | | |
+ +------------------+----------+-------------------+------------------------------+--------------------------------+
| | CVE-2019-5477 | HIGH | 1.6.8-java | >= 1.10.4 | Rexical Command Injection |
| | | | | | Vulnerability |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2019-11068 | | | >= 1.10.3 | libxslt: xsltCheckRead and |
| | | | | | xsltCheckWrite routines |
| | | | | | security bypass by crafted URL |
+ + + +-------------------+ + +
| | | | 1.6.8 | | |
| | | | | | |
| | | | | | |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2015-5312 | | 1.6.8-java | >= 1.6.7.1 | libxml2: CPU exhaustion when |
| | | | | | processing specially crafted |
| | | | | | XML input |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2019-5477 | | 1.6.8 | >= 1.10.4 | Rexical Command Injection |
| | | | | | Vulnerability |
+ +------------------+----------+-------------------+------------------------------+--------------------------------+
| | CVE-2015-8806 | MEDIUM | 1.6.8-java | >= 1.6.8 | libxml2: heap-buffer overread |
| | | | | | in dict.c |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2019-13117 | | 1.6.8 | >= 1.10.5 | libxslt: an xsl number with |
| | | | | | certain format strings could |
| | | | | | lead to a... |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2018-8048 | | | >= 1.8.3 | rubygem-loofah: XSS |
| | | | | | vulnerability due to unescaped |
| | | | | | comments within attributes by |
| | | | | | libxml2 |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2015-1819 | | 1.6.8-java | ~> 1.6.6.4, >= 1.6.7.rc4 | libxml2: denial of service |
| | | | | | processing a crafted XML |
| | | | | | document |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2018-14404 | | 1.6.8 | >= 1.8.5 | libxml2: NULL pointer |
| | | | | | dereference in |
| | | | | | xpath.c:xmlXPathCompOpEval() |
| | | | | | can allow attackers to cause |
| | | | | | a... |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2015-7499 | | 1.6.8-java | >= 1.6.7.2 | libxml2: Heap-based buffer |
| | | | | | overflow in xmlGROW |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2017-9050 | | 1.6.8 | >= 1.8.1 | libxml2: Heap-based buffer |
| | | | | | over-read in function |
| | | | | | xmlDictAddString |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2017-5029 | | | >= 1.7.2 | chromium-browser: integer |
| | | | | | overflow in libxslt |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2017-15412 | | 1.6.8-java | >= 1.8.2 | chromium-browser: use after |
| | | | | | free in libxml |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2017-16932 | | | >= 1.8.1 | libxml2: Infinite recursion in |
| | | | | | parameter entities |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2017-5029 | | | >= 1.7.2 | chromium-browser: integer |
| | | | | | overflow in libxslt |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2017-9050 | | | >= 1.8.1 | libxml2: Heap-based buffer |
| | | | | | over-read in function |
| | | | | | xmlDictAddString |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2018-14404 | | | >= 1.8.5 | libxml2: NULL pointer |
| | | | | | dereference in |
| | | | | | xpath.c:xmlXPathCompOpEval() |
| | | | | | can allow attackers to cause |
| | | | | | a... |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2018-8048 | | | >= 1.8.3 | rubygem-loofah: XSS |
| | | | | | vulnerability due to unescaped |
| | | | | | comments within attributes by |
| | | | | | libxml2 |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2017-16932 | | 1.6.8 | >= 1.8.1 | libxml2: Infinite recursion in |
| | | | | | parameter entities |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2019-13117 | | 1.6.8-java | >= 1.10.5 | libxslt: an xsl number with |
| | | | | | certain format strings could |
| | | | | | lead to a... |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2017-15412 | | 1.6.8 | >= 1.8.2 | chromium-browser: use after |
| | | | | | free in libxml |
+ +------------------+ +-------------------+------------------------------+--------------------------------+
| | CVE-2013-6460 | | 1.6.8-java | ~> 1.5.11, >= 1.6.1 | rubygem-nokogiri: DoS while |
| | | | | | parsing XML documents |
+ +------------------+ + + +--------------------------------+
| | CVE-2013-6461 | | | | rubygem-nokogiri: DoS while |
| | | | | | parsing XML entities |
+ +------------------+ + +------------------------------+--------------------------------+
| | CVE-2012-6685 | | | >= 1.5.4 | rubygem-nokogiri: XML eXternal |
| | | | | | Entity (XXE) flaw |
+ +------------------+----------+ +------------------------------+--------------------------------+
| | OSVDB-118481 | UNKNOWN | | >= 1.6.3 | Nokogiri Gem for JRuby XML |
| | | | | | Document Root Element Handling |
| | | | | | Memory Consumption Remote DoS |
| | | | | | ... |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| rack | CVE-2018-16471 | MEDIUM | 1.6.4 | ~> 1.6.11, >= 2.0.6 | rubygem-rack: Cross-site |
| | | | | | scripting (XSS) via `scheme` |
| | | | | | method on `Rack::Request` |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
Thank you.
Hello,
we are using dockerized fluentd with
fluent-plugin-gelf-hswhich use alsogelf-rb.Our vulnerability scaner found CRITICAL: 2, MEDIUM: 21 and HIGH: 7 in
gelf-3.1.0.Can we kindly ask to upgrade dependencies to the new secure versions?
Steps to reproduce the issue:
and build command
docker build . -t fluentd-gelfScan result for gelf is:
Thank you.