L3n41c
commented
1 year ago Hello @sheffrong123 !
Thank you very much for your detailed report. Here is the analysis of the vulnerabilities you reported:
0C 0H 2M 0L 1? in-toto 1.0.1 pkg:pypi/in-toto@1.0.1
✗ MEDIUM CVE-2023-32076 [External Control of System or Configuration Setting] https://scout.docker.com/v/CVE-2023-32076 Affected range : <=1.4.0 Fixed version : 2.0.0 CVSS Score : 5.5 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N ✗ MEDIUM GHSA-jjgp-whrp-gq8m [Improper Certificate Validation] https://scout.docker.com/v/GHSA-jjgp-whrp-gq8m Affected range : <=1.4.0 Fixed version : not fixed ✗ UNSPECIFIED GMS-2023-1442 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-1442 Affected range : <=1.4.0 Fixed version : not fixed
Fixed by DataDog/integrations-core#15667.
0C 0H 1M 1L aws-sdk-go 1.44.171 pkg:golang/github.com/aws/aws-sdk-go@1.44.171
✗ MEDIUM CVE-2020-8911 https://scout.docker.com/v/CVE-2020-8911 Affected range : >=0 Fixed version : not fixed ✗ LOW CVE-2020-8912 https://scout.docker.com/v/CVE-2020-8912 Affected range : >=0 Fixed version : not fixed
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 1M 1L krb5 1.19.2-2ubuntu0.2 pkg:deb/ubuntu/krb5@1.19.2-2ubuntu0.2?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ MEDIUM CVE-2023-36054 https://scout.docker.com/v/CVE-2023-36054 Affected range : >=0 Fixed version : not fixed CVSS Score : 6.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H ✗ LOW CVE-2018-5709 https://scout.docker.com/v/CVE-2018-5709 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.5 CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 1M 0L procps 2:3.3.17-6ubuntu2 pkg:deb/ubuntu/procps@2:3.3.17-6ubuntu2?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ MEDIUM CVE-2023-4016 https://scout.docker.com/v/CVE-2023-4016 Affected range : >=0 Fixed version : not fixed CVSS Score : 5.5 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 1M 0L net 0.11.0 pkg:golang/golang.org/x/net@0.11.0
✗ MEDIUM CVE-2023-3978 https://scout.docker.com/v/CVE-2023-3978 Affected range : <0.13.0 Fixed version : 0.13.0
Fixed by #18659.
0C 0H 1M 0L redis 4.6.0 pkg:pypi/redis@4.6.0
✗ MEDIUM CVE-2023-28859 https://scout.docker.com/v/CVE-2023-28859 Affected range : <5.0.0b1 Fixed version : 5.0.0b1
Fixed by DataDog/integrations-core#15585.
0C 0H 1M 0L rekor 1.1.1 pkg:golang/github.com/sigstore/rekor@1.1.1
✗ MEDIUM CVE-2023-33199 [Reachable Assertion] https://scout.docker.com/v/CVE-2023-33199 Affected range : <1.2.0 Fixed version : 1.2.0 CVSS Score : 5.3 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Fixed by #18227.
0C 0H 1M 0L stdlib 1.20.6 pkg:golang/stdlib@1.20.6
✗ MEDIUM CVE-2023-29409 https://scout.docker.com/v/CVE-2023-29409 Affected range : >=1.20.0-0 : <1.20.7 Fixed version : 1.20.7
Fixed by DataDog/datadog-agent-buildimages#432.
0C 0H 1M 0L perl 5.34.0-3ubuntu1.2 pkg:deb/ubuntu/perl@5.34.0-3ubuntu1.2?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ MEDIUM CVE-2022-48522 https://scout.docker.com/v/CVE-2022-48522 Affected range : >=0 Fixed version : not fixed CVSS Score : 9.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 2L 2? cryptography 39.0.1 pkg:pypi/cryptography@39.0.1
✗ LOW GHSA-jm77-qphf-c4w8 https://scout.docker.com/v/GHSA-jm77-qphf-c4w8 Affected range : >=0.8 : <41.0.3 Fixed version : 41.0.3 ✗ LOW GHSA-5cpq-8wj7-hf2v https://scout.docker.com/v/GHSA-5cpq-8wj7-hf2v Affected range : >=0.5 : <=40.0.2 Fixed version : 41.0.0 ✗ UNSPECIFIED GMS-2023-1898 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-1898 Affected range : >=0.8 : <41.0.3 Fixed version : 41.0.3 ✗ UNSPECIFIED GMS-2023-1778 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-1778 Affected range : >=0.5 : <=40.0.2 Fixed version : 41.0.0
Fixed by DataDog/integrations-core#15517.
0C 0H 0M 1L bash 5.1-6ubuntu1 pkg:deb/ubuntu/bash@5.1-6ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2022-3715 https://scout.docker.com/v/CVE-2022-3715 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L openssl 3.0.2-0ubuntu1.10 pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.10?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2023-2975 https://scout.docker.com/v/CVE-2023-2975 Affected range : >=0 Fixed version : not fixed CVSS Score : 5.3 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L gnupg2 2.2.27-3ubuntu2.1 pkg:deb/ubuntu/gnupg2@2.2.27-3ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2022-3219 https://scout.docker.com/v/CVE-2022-3219 Affected range : >=0 Fixed version : not fixed CVSS Score : 3.3 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L coreutils 8.32-4.1ubuntu1 pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2016-2781 https://scout.docker.com/v/CVE-2016-2781 Affected range : >=0 Fixed version : not fixed CVSS Score : 6.5 CVSS Vector : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L pcre3 2:8.39-13ubuntu0.22.04.1 pkg:deb/ubuntu/pcre3@2:8.39-13ubuntu0.22.04.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2017-11164 https://scout.docker.com/v/CVE-2017-11164 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.5 CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L shadow 1:4.8.1-2ubuntu2.1 pkg:deb/ubuntu/shadow@1:4.8.1-2ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2023-29383 https://scout.docker.com/v/CVE-2023-29383 Affected range : >=0 Fixed version : not fixed CVSS Score : 3.3 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L libzstd 1.4.8+dfsg-3build1 pkg:deb/ubuntu/libzstd@1.4.8+dfsg-3build1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2022-4899 https://scout.docker.com/v/CVE-2022-4899 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
0C 0H 0M 1L glibc 2.35-0ubuntu3.1 pkg:deb/ubuntu/glibc@2.35-0ubuntu3.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
✗ LOW CVE-2016-20013 https://scout.docker.com/v/CVE-2016-20013 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
As said in the report: « Fixed version : not fixed ». We’ll pick the fix as soon as one will be released.
To conclude, I think that all the vulnerabilities reported here are:
- either already fixed in our repositories and the fix will be in the next version of the agent:
7.48.0, - or there’s no fix available yet.
We are currently using Datadog Agent version 7.47.0, and we've identified 25 vulnerabilities in our environment using "docker scout cves" for scanning. Could you please assist us in addressing and remediating these vulnerabilities?
Thank you for your help.
% docker scout cves test INFO New version 0.24.0 available (installed version is 0.16.1) ✓ SBOM of image already cached, 894 packages indexed ✗ Detected 18 vulnerable packages with a total of 25 vulnerabilities
0C 0H 2M 0L 1? in-toto 1.0.1 pkg:pypi/in-toto@1.0.1
0C 0H 1M 1L aws-sdk-go 1.44.171 pkg:golang/github.com/aws/aws-sdk-go@1.44.171
0C 0H 1M 1L krb5 1.19.2-2ubuntu0.2 pkg:deb/ubuntu/krb5@1.19.2-2ubuntu0.2?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 1M 0L procps 2:3.3.17-6ubuntu2 pkg:deb/ubuntu/procps@2:3.3.17-6ubuntu2?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 1M 0L net 0.11.0 pkg:golang/golang.org/x/net@0.11.0
0C 0H 1M 0L redis 4.6.0 pkg:pypi/redis@4.6.0
0C 0H 1M 0L rekor 1.1.1 pkg:golang/github.com/sigstore/rekor@1.1.1
0C 0H 1M 0L stdlib 1.20.6 pkg:golang/stdlib@1.20.6
0C 0H 1M 0L perl 5.34.0-3ubuntu1.2 pkg:deb/ubuntu/perl@5.34.0-3ubuntu1.2?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 2L 2? cryptography 39.0.1 pkg:pypi/cryptography@39.0.1
0C 0H 0M 1L bash 5.1-6ubuntu1 pkg:deb/ubuntu/bash@5.1-6ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L openssl 3.0.2-0ubuntu1.10 pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.10?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L gnupg2 2.2.27-3ubuntu2.1 pkg:deb/ubuntu/gnupg2@2.2.27-3ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L coreutils 8.32-4.1ubuntu1 pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L pcre3 2:8.39-13ubuntu0.22.04.1 pkg:deb/ubuntu/pcre3@2:8.39-13ubuntu0.22.04.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L shadow 1:4.8.1-2ubuntu2.1 pkg:deb/ubuntu/shadow@1:4.8.1-2ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L libzstd 1.4.8+dfsg-3build1 pkg:deb/ubuntu/libzstd@1.4.8+dfsg-3build1?os_distro=jammy&os_name=ubuntu&os_version=22.04
0C 0H 0M 1L glibc 2.35-0ubuntu3.1 pkg:deb/ubuntu/glibc@2.35-0ubuntu3.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
25 vulnerabilities found in 18 packages UNSPECIFIED 3
LOW 12
MEDIUM 10
HIGH 0
CRITICAL 0