CVE-2023-38545 and CVE-2023-38545 vulnerabilities
egorchabala opened this issue · 17 comments
egorchabala commented
Multiple security scanning tools reported that aws-for-fluentbit docker image might be vulnerable to the following vulnerability:
Is there a schedule for a new release with a patched base image?
PettitWesley commented
I got this:
147dda285fd4:fluent-bit wppttt$ trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:2.31.12.20231011
2023-10-18T17:56:29.579-0700 INFO Vulnerability scanning is enabled
2023-10-18T17:56:29.579-0700 INFO Secret scanning is enabled
2023-10-18T17:56:29.579-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-18T17:56:29.579-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-10-18T17:57:49.052-0700 INFO Detected OS: amazon
2023-10-18T17:57:49.052-0700 INFO Detecting Amazon Linux vulnerabilities...
2023-10-18T17:57:49.065-0700 INFO Number of language-specific files: 0
public.ecr.aws/aws-observability/aws-for-fluent-bit:2.31.12.20231011 (amazon 2 (Karoo))
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────┬────────────────┬──────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ libnghttp2 │ CVE-2023-44487 │ HIGH │ 1.41.0-1.amzn2.0.3 │ 1.41.0-1.amzn2.0.4 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│ │ │ │ │ │ attack (Rapid... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
└────────────┴────────────────┴──────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────────────┘
PettitWesley commented
The above CVE does not impact AWS Fluent Bit use cases, as it is not used as a web server.
These are marked as important and low severity. We typically only do re-builds for high/critical severity.
dfer3375 commented
@PettitWesley Is this solved with the 2.32.0 version?
jamespfluger-ava commented
As patching becomes more important every day, why not do re-builds when flaws are found? I don't want to speak too confidently because I don't know how much work rebuilding the image is, but these flaws will still show up on security scorecards, even if they can't be exploited.
jamespfluger-ava commented
Here's the info for latest and stable.
Note the latest has zero vulns listed and stable has 81. A fresh stable release would be hugely beneficial.
latest
james:~$ trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:latest
2024-01-30T18:23:38.725-0800 INFO Vulnerability scanning is enabled
2024-01-30T18:23:38.725-0800 INFO Secret scanning is enabled
2024-01-30T18:23:38.725-0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-30T18:23:38.725-0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-30T18:23:39.630-0800 INFO Detected OS: amazon
2024-01-30T18:23:39.630-0800 INFO Detecting Amazon Linux vulnerabilities...
2024-01-30T18:23:39.642-0800 INFO Number of language-specific files: 0
public.ecr.aws/aws-observability/aws-for-fluent-bit:latest (amazon 2 (Karoo))
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
stable
james:~$ trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:stable
2024-01-30T18:25:00.180-0800 INFO Vulnerability scanning is enabled
2024-01-30T18:25:00.180-0800 INFO Secret scanning is enabled
2024-01-30T18:25:00.180-0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-30T18:25:00.180-0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-30T18:25:00.945-0800 INFO Detected OS: amazon
2024-01-30T18:25:00.945-0800 INFO Detecting Amazon Linux vulnerabilities...
2024-01-30T18:25:00.954-0800 INFO Number of language-specific files: 0
public.ecr.aws/aws-observability/aws-for-fluent-bit:stable (amazon 2 (Karoo))
Total: 81 (UNKNOWN: 0, LOW: 19, MEDIUM: 58, HIGH: 4, CRITICAL: 0)
┌────────────────────┬────────────────┬──────────┬────────┬──────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────┼────────────────┼──────────┼────────┼──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2023-46218 │ MEDIUM │ fixed │ 8.3.0-1.amzn2.0.4 │ 8.3.0-1.amzn2.0.5 │ curl: information disclosure by exploiting a mixed case flaw │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46218 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-46219 │ │ │ │ │ curl: excessively long file name may lead to unknown HSTS │
│ │ │ │ │ │ │ status │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46219 │
├────────────────────┼────────────────┤ │ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ dbus │ CVE-2023-34969 │ │ │ 1:1.10.24-7.amzn2.0.3 │ 1:1.10.24-7.amzn2.0.4 │ dbus: dbus-daemon: assertion failure when a monitor is │
│ │ │ │ │ │ │ active and a message... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-34969 │
├────────────────────┤ │ │ │ │ │ │
│ dbus-libs │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gawk │ CVE-2023-4156 │ LOW │ │ 4.0.2-4.amzn2.1.2 │ 4.0.2-4.amzn2.1.3 │ gawk: heap out of bound read in builtin.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4156 │
├────────────────────┼────────────────┤ │ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gmp │ CVE-2021-43618 │ │ │ 1:6.0.0-15.amzn2.0.2 │ 1:6.0.0-15.amzn2.0.3 │ gmp: Integer overflow and resultant buffer overflow via │
│ │ │ │ │ │ │ crafted input │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43618 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2023-46218 │ MEDIUM │ │ 8.3.0-1.amzn2.0.4 │ 8.3.0-1.amzn2.0.5 │ curl: information disclosure by exploiting a mixed case flaw │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46218 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-46219 │ │ │ │ │ curl: excessively long file name may lead to unknown HSTS │
│ │ │ │ │ │ │ status │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46219 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libnghttp2 │ CVE-2023-44487 │ HIGH │ │ 1.41.0-1.amzn2.0.3 │ 1.41.0-1.amzn2.0.4 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libsepol │ CVE-2021-36084 │ MEDIUM │ │ 2.5-8.1.amzn2.0.2 │ 2.5-10.amzn2.0.1 │ libsepol: use-after-free in __cil_verify_classperms() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36084 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36085 │ │ │ │ │ libsepol: use-after-free in __cil_verify_classperms() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36085 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36086 │ │ │ │ │ use-after-free in cil_reset_classpermission() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36086 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36087 │ │ │ │ │ libsepol: heap-based buffer overflow in ebitmap_match_any() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36087 │
├────────────────────┼────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ libsepol-devel │ CVE-2021-36084 │ │ │ │ │ libsepol: use-after-free in __cil_verify_classperms() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36084 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36085 │ │ │ │ │ libsepol: use-after-free in __cil_verify_classperms() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36085 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36086 │ │ │ │ │ use-after-free in cil_reset_classpermission() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36086 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36087 │ │ │ │ │ libsepol: heap-based buffer overflow in ebitmap_match_any() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36087 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2 │ CVE-2023-45322 │ HIGH │ │ 2.9.1-6.amzn2.5.12 │ 2.9.1-6.amzn2.5.13 │ libxml2: use-after-free in xmlUnlinkNode() in tree.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45322 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses │ CVE-2019-17594 │ MEDIUM │ │ 6.0-8.20170212.amzn2.1.5 │ 6.0-8.20170212.amzn2.1.6 │ heap-based buffer overflow in the _nc_find_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ │ heap-based buffer overflow in the fmt_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19185 │ │ │ │ │ ncurses: Heap buffer overflow in one_one_mapping function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1373 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19185 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19186 │ │ │ │ │ ncurses: Buffer overflow in _nc_find_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c:66 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19186 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19187 │ │ │ │ │ ncurses: Heap buffer overflow in fmt_entry function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1100 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19187 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19188 │ │ │ │ │ ncurses: Stack buffer overflow in fmt_entry function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1116 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19188 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19189 │ │ │ │ │ ncurses: Heap buffer overflow in postprocess_terminfo │
│ │ │ │ │ │ │ function in tinfo/parse_entry.c:997 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19189 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19190 │ │ │ │ │ ncurses: Heap buffer overflow in _nc_find_entry in │
│ │ │ │ │ │ │ tinfo/comp_hash.c:70 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19190 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50495 │ │ │ │ 6.0-8.20170212.amzn2.1.7 │ ncurses: segmentation fault via _nc_wrap_entry() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50495 │
├────────────────────┼────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-base │ CVE-2019-17594 │ │ │ │ 6.0-8.20170212.amzn2.1.6 │ heap-based buffer overflow in the _nc_find_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ │ heap-based buffer overflow in the fmt_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19185 │ │ │ │ │ ncurses: Heap buffer overflow in one_one_mapping function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1373 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19185 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19186 │ │ │ │ │ ncurses: Buffer overflow in _nc_find_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c:66 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19186 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19187 │ │ │ │ │ ncurses: Heap buffer overflow in fmt_entry function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1100 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19187 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19188 │ │ │ │ │ ncurses: Stack buffer overflow in fmt_entry function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1116 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19188 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19189 │ │ │ │ │ ncurses: Heap buffer overflow in postprocess_terminfo │
│ │ │ │ │ │ │ function in tinfo/parse_entry.c:997 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19189 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19190 │ │ │ │ │ ncurses: Heap buffer overflow in _nc_find_entry in │
│ │ │ │ │ │ │ tinfo/comp_hash.c:70 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19190 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50495 │ │ │ │ 6.0-8.20170212.amzn2.1.7 │ ncurses: segmentation fault via _nc_wrap_entry() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50495 │
├────────────────────┼────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-libs │ CVE-2019-17594 │ │ │ │ 6.0-8.20170212.amzn2.1.6 │ heap-based buffer overflow in the _nc_find_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ │ heap-based buffer overflow in the fmt_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19185 │ │ │ │ │ ncurses: Heap buffer overflow in one_one_mapping function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1373 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19185 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19186 │ │ │ │ │ ncurses: Buffer overflow in _nc_find_entry function in │
│ │ │ │ │ │ │ tinfo/comp_hash.c:66 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19186 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19187 │ │ │ │ │ ncurses: Heap buffer overflow in fmt_entry function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1100 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19187 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19188 │ │ │ │ │ ncurses: Stack buffer overflow in fmt_entry function in │
│ │ │ │ │ │ │ progs/dump_entry.c:1116 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19188 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19189 │ │ │ │ │ ncurses: Heap buffer overflow in postprocess_terminfo │
│ │ │ │ │ │ │ function in tinfo/parse_entry.c:997 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19189 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-19190 │ │ │ │ │ ncurses: Heap buffer overflow in _nc_find_entry in │
│ │ │ │ │ │ │ tinfo/comp_hash.c:70 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-19190 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50495 │ │ │ │ 6.0-8.20170212.amzn2.1.7 │ ncurses: segmentation fault via _nc_wrap_entry() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50495 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nmap-ncat │ CVE-2018-15173 │ LOW │ │ 2:6.40-13.amzn2 │ 2:6.40-19.amzn2.0.1 │ nmap: Stack exhausation when -sV option is used allows for │
│ │ │ │ │ │ │ DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-15173 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nss-softokn │ CVE-2023-5388 │ MEDIUM │ │ 3.79.0-4.amzn2 │ 3.90.0-6.amzn2.0.1 │ nss: timing attack against RSA decryption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5388 │
├────────────────────┤ │ │ │ │ │ │
│ nss-softokn-freebl │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────┼────────────────┤ │ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl-libs │ CVE-2023-5678 │ │ │ 1:1.0.2k-24.amzn2.0.9 │ 1:1.0.2k-24.amzn2.0.11 │ openssl: Generating excessively long X9.42 DH keys or │
│ │ │ │ │ │ │ checking excessively long X9.42... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │
├────────────────────┤ │ │ ├──────────────────────────┼──────────────────────────┤ │
│ openssl11-devel │ │ │ │ 1:1.1.1g-12.amzn2.0.18 │ 1:1.1.1g-12.amzn2.0.19 │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────┤ │ │ │ │ │ │
│ openssl11-libs │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ python │ CVE-2022-48565 │ HIGH │ │ 2.7.18-1.amzn2.0.6 │ 2.7.18-1.amzn2.0.7 │ python: XML External Entity in XML processing plistlib │
│ │ │ │ │ │ │ module │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48565 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-48566 │ MEDIUM │ │ │ 2.7.18-1.amzn2.0.8 │ python: constant-time-defeating optimisations issue in the │
│ │ │ │ │ │ │ compare_digest function in Lib/hmac.p │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48566 │
├────────────────────┼────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ python-libs │ CVE-2022-48565 │ HIGH │ │ │ 2.7.18-1.amzn2.0.7 │ python: XML External Entity in XML processing plistlib │
│ │ │ │ │ │ │ module │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48565 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-48566 │ MEDIUM │ │ │ 2.7.18-1.amzn2.0.8 │ python: constant-time-defeating optimisations issue in the │
│ │ │ │ │ │ │ compare_digest function in Lib/hmac.p │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48566 │
├────────────────────┼────────────────┤ │ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vim-data │ CVE-2023-46246 │ │ │ 2:9.0.1882-1.amzn2.0.1 │ 2:9.0.2081-1.amzn2.0.1 │ vim: Integer Overflow in :history command │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46246 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5344 │ │ │ │ 2:9.0.1882-1.amzn2.0.2 │ vim: Heap-based Buffer Overflow in trunc_string() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5344 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5441 │ │ │ │ 2:9.0.1882-1.amzn2.0.3 │ NULL pointer dereference in screen_line() in src/screen.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5441 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5535 │ │ │ │ │ vim: use after free │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5535 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48231 │ LOW │ │ │ 2:9.0.2120-1.amzn2.0.1 │ vim: use after free in win_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48231 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48232 │ │ │ │ │ vim: floating point exception in adjust_plines_for_skipcol() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48232 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48233 │ │ │ │ │ vim: overflow with count for :s command │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48233 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48234 │ │ │ │ │ vim: overflow in nv_z_get_count │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48234 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48235 │ │ │ │ │ vim: overflow in ex address parsing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48235 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48236 │ │ │ │ │ vim: overflow in get_number │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48236 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48237 │ │ │ │ │ vim: buffer overflow in shift_line │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48237 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48706 │ │ │ │ 2:9.0.2153-1.amzn2.0.1 │ vim: use-after-free in ex_substitute in Vim │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48706 │
├────────────────────┼────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vim-minimal │ CVE-2023-46246 │ MEDIUM │ │ │ 2:9.0.2081-1.amzn2.0.1 │ vim: Integer Overflow in :history command │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46246 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5344 │ │ │ │ 2:9.0.1882-1.amzn2.0.2 │ vim: Heap-based Buffer Overflow in trunc_string() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5344 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5441 │ │ │ │ 2:9.0.1882-1.amzn2.0.3 │ NULL pointer dereference in screen_line() in src/screen.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5441 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5535 │ │ │ │ │ vim: use after free │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5535 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48231 │ LOW │ │ │ 2:9.0.2120-1.amzn2.0.1 │ vim: use after free in win_close() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48231 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48232 │ │ │ │ │ vim: floating point exception in adjust_plines_for_skipcol() │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48232 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48233 │ │ │ │ │ vim: overflow with count for :s command │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48233 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48234 │ │ │ │ │ vim: overflow in nv_z_get_count │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48234 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48235 │ │ │ │ │ vim: overflow in ex address parsing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48235 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48236 │ │ │ │ │ vim: overflow in get_number │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48236 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48237 │ │ │ │ │ vim: buffer overflow in shift_line │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48237 │
│ ├────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-48706 │ │ │ │ 2:9.0.2153-1.amzn2.0.1 │ vim: use-after-free in ex_substitute in Vim │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48706 │
├────────────────────┼────────────────┼──────────┤ ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2023-45853 │ MEDIUM │ │ 1.2.7-19.amzn2.0.2 │ 1.2.7-19.amzn2.0.3 │ zlib: integer overflow and resultant heap-based buffer │
│ │ │ │ │ │ │ overflow in zipOpenNewFileInZip4_6 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45853 │
├────────────────────┤ │ │ │ │ │ │
│ zlib-devel │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────────────┴────────────────┴──────────┴────────┴──────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────┘
surola commented
Hi When are you planning to release a new version with these fixes?
jamespfluger-ava commented
It's worth mentioning that both latest and stable have the same two CVEs. See the output below:
james~:trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:stable
2024-02-16T16:22:04.698-0800 INFO Vulnerability scanning is enabled
2024-02-16T16:22:04.698-0800 INFO Secret scanning is enabled
2024-02-16T16:22:04.698-0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-16T16:22:04.698-0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-16T16:22:05.391-0800 INFO Detected OS: amazon
2024-02-16T16:22:05.391-0800 INFO Detecting Amazon Linux vulnerabilities...
2024-02-16T16:22:05.403-0800 INFO Number of language-specific files: 0
public.ecr.aws/aws-observability/aws-for-fluent-bit:stable (amazon 2 (Karoo))
Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
┌─────────────┬────────────────┬──────────┬────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────┤
│ nss │ CVE-2023-7104 │ HIGH │ fixed │ 3.90.0-2.amzn2.0.1 │ 3.90.0-2.amzn2.0.2 │ sqlite: heap-buffer-overflow at sessionfuzz │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-7104 │
├─────────────┤ │ │ │ │ │ │
│ nss-sysinit │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────┤ │ │ │ │ │ │
│ nss-tools │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────┼────────────────┼──────────┤ ├────────────────────┼────────────────────┼──────────────────────────────────────────────────────┤
│ pam │ CVE-2024-22365 │ LOW │ │ 1.1.8-23.amzn2.0.1 │ 1.1.8-23.amzn2.0.2 │ pam: allowing unpriledged user to block another user │
│ │ │ │ │ │ │ namespace │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-22365 │
└─────────────┴────────────────┴──────────┴────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────┘
PettitWesley commented
@jamespfluger-ava I'm working on trying to setup an automatic workflow to re-build and re-release the latest image for linux, as for example here: https://github.com/aws/aws-for-fluent-bit/releases/tag/v2.32.0.20240304
- We will only automatically rebuild the latest image
- We are not sure what frequency to rebuild- thoughts? While it'd be nice to have it re-build every time there is a scan finding, we might just go with some time interval to keep it simple.
- The re-built images are just the old image, with the same code compiled on an updated amazon linux base. We will therefore not perform our typical testing on re-built images: https://github.com/aws/aws-for-fluent-bit?tab=readme-ov-file#aws-distro-for-fluent-bit-release-testing
jamespfluger-ava commented
@PettitWesley I'd love an automatic workflow. For now I've switched to using Chainguard's image for aws-for-fluent-bit as that had zero CVEs at the time.
Your points
1 - Automating rebuilding the latest image is a good idea
2a - I agree that the ideal scenario is when a new finding is found. You could possibly use a scanning tool (such as Trivy or Docker Scout or one of many others) to see if there are any vulnerabilities, and if there are take a few steps: rebuild the image, see if the vulns are still there, and if so do NOT push the image and create a GitHub issue with a security label.
2b - ALTERNATIVELY - simply do a rebuild once daily. I would personally tag this as latest and not necessarily stable, as stable should be pushed once a latest image is proven to be stable, but that's out of my area of expertise
3 - Not re-testing the code makes sense, unless some of the code relies upon a package and a package upgrade breaks something
My thoughts
Ideally, rebuild the image if there's a new vuln found and rebuild the image (and if that doesn't fix it auto-create a new GitHub issue)
Otherwise rebuilding the image daily would be ideal.
Remember this:
Software is just like milk. It goes bad over time. Smell your software as often as you can fix the smells as soon as they appear.
eigan commented
Sorry, this is not relevant to the reported CVE, but its about rebuilding.
aikido.dev reports CVE-2023-39323, CVE-2023-39325, CVE-2023-45285 and more because go1.20.7 is used. Would it be possible to build with a newer go version?
They use syft which gives them the following SBOM.
syft public.ecr.aws/aws-observability/aws-for-fluent-bit:init-latest
....
stdlib go1.20.7 go-module
....
PettitWesley commented
@eigan unfortunately, we had to lock go to 1.20.7 last year because of this issue which entirely stops Fluent Bit from Go plugins from working:
I haven't checked on this for a little while though and I will see if a newer go version resolves the issue. If not, I'll open a tracking issue for this.
PettitWesley commented
Also the trivy image scan in our pipeline is a good idea @jamespfluger-ava. Thanks. May be I should make the pipeline pull the latest re-build, scan it, if there are findings, then build a new image and release it. May be also check if the number of findings on the new re-build is lesser than the older one.
jamespfluger-ava commented
@PettitWesley regarding the number of findings - that's a good idea, but I would go as far as to say to never release an image with critical or high findings. Of course low + mediums can always be strung together to perform an attack, but it's less likely than a high/critical.
Appreciate y'all taken this seriously!
PettitWesley commented
@jamespfluger-ava @eigan I am not seeing any findings for our most recent rebuild from earlier this month:
$ trivy image --severity HIGH,CRITICAL --format json public.ecr.aws/aws-observability/aws-for-fluent-bit:latest -q | jq '.Results[0].Vulnerabilities | length'
0
PettitWesley commented
Also it seems go1.22 works with Fluent Bit go plugins, so we will upgrade to that in our next re-build release.