DataDog / datadog-agent

Main repository for Datadog Agent
https://docs.datadoghq.com/
Apache License 2.0
2.9k stars 1.21k forks source link

DataDog Agent v7.50.0 still contains OpenSSL 3.0.8 dll's with known vulnerabilties #21678

Open RoelofRoelofsen opened 11 months ago

RoelofRoelofsen commented 11 months ago

In the release notes (security notes) of version 7.50.0 I found updated OpenSSL from 3.0.11 to 3.0.12.

MIcrosoft Defender still found OpenSSL dll's with version 3.0.8 with known vulnerabilties in the DataDog Agent application folders (C:\Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs).

toucheDD commented 7 months ago

This is still not fixed in newest versions. 7.52.1 nor 7.53.0? Is it even being considered to be fixed?

smerkx commented 5 months ago

Also not fixed in 7.54.0. Defender alerts on: 3.0.13.0: c:\program files\datadog\datadog agent\embedded3\dlls\libcrypto-3.dll c:\program files\datadog\datadog agent\embedded3\dlls\libssl-3.dll

3.0.8.0: c:\program files\datadog\datadog agent\embedded3\lib\site-packages\confluent_kafka.libs\libcrypto-3-x64-635e87f2c9173c8128924a94337627b3.dll c:\program files\datadog\datadog agent\embedded3\lib\site-packages\confluent_kafka.libs\libssl-3-x64-a0018292260ae8557aa3cd7db7d50307.dll

smerkx commented 2 months ago

Release notes for 7.56.0 say: Security Notes:

Updated all agents to 7.56.0, but that still installs openssl 3.0.13 dlls in c:\program files\datadog\datadog agent\embedded3\dlls