Sysdig Secure reports Critical and High CVEs in v0.75.0

Question

Sysdig Secure reports Critical and High CVEs in v0.75.0

jbehrends opened this issue 2 years ago · 4 comments

Scanning the container quay.io/signalfx/splunk-otel-collector:0.75.0 with Sysdig Secure reports the following Critical and High CVEs:

quay.io/signalfx/splunk-otel-collector:0.75.0
Criticals:
CVE-2021-29921 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2019-12900 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2022-37454 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2022-32511 - Package: jmespath-1.0.1  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/python3.8/site-packages/jmespath

High:
CVE-2015-20107 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2021-28861 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2018-25032 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2022-45061 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2020-10735 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2022-42919 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0
CVE-2023-24329 - Package: python-3.8.10  Path: /usr/lib/splunk-otel-collector/agent-bundle/lib/libpython3.8.so.1.0

Most are for Python 3.8.10, with a single critical for jmespath.

Answer 1 · 2023-04-20T20:10:37.000Z

Thanks for your report, though we do request submitting through the disclosure portal: https://github.com/signalfx/splunk-otel-collector/blob/main/docs/security.md#reporting-security-issues.

In the meantime, 618da71 will be in the next release. Offhand, CVE-2022-32511* appears to apply to the ruby library?

Answer 2 · 2023-04-20T20:51:45.000Z

Thanks for the quick response!

Sorry! I didn't realize that they wanted these types of requests to go through a different submittal process. I had found some other CVE reports in closed issues so thought it was ok to report here. Do you want me to re-submit over there as well? Or just for next time?

re: jmespath-1.0.1 After doing some digging it appears your correct! Looks like the scanner is reporting an jmespath CVE for the ruby version against the python version in the container. I'll report that mis-report back to Sysdig and let them know. Thanks for pointing that out.

Answer 3 · 2023-04-20T21:00:15.000Z

Feel free to use the portal in the future, and no need to duplicate your efforts. We'll be sure to go over each of the ones reported here. Thanks again!

Answer 4 · 2023-05-19T00:38:02.000Z

v0.77.0 is now released. I am closing this report, please get in touch through our disclosure portal for any future vulnerability reports. Thanks!