wu-sheng
commented
8 months ago We are not using Go and Python in OAP. I am not sure what you mean. This is a Java project.
Closed VladislavDubrovenski closed 8 months ago
wu-sheng
commented
8 months ago We are not using Go and Python in OAP. I am not sure what you mean. This is a Java project.
VladislavDubrovenski
commented
8 months ago @wu-sheng I understand that, I opened it for OAP. Also, it occurs to me that the image you use for deployment on k8s for UI has the vulnerability. Where should I report this? This vulnerability was present for almost 2 months and my only other remediation is to disable the skywalking which I really don't want to do as I have written custom scripts for it as well..
wu-sheng
commented
8 months ago OK, if you mean images, you need to check whether it is from swctl or something? Because OAP and UI themselves are only Java based.
You could check the docker file, https://github.com/apache/skywalking/blob/master/docker/oap/Dockerfile
About the CLI, it is from https://github.com/apache/skywalking-cli.
wu-sheng
commented
8 months ago Or is this a Linux level CVE? You could repackage the whole thing and get the latest eclipse-temurin:11-jre.
VladislavDubrovenski
commented
8 months ago @wu-sheng I appreciate you reopening this issue. Constantly repackaging every open-source solution would make it a nightmare from maintainability perspective. It seems that many open-source solutions suffer from this vulnerability(even though the library in question was not in use in many, but scans still flag it).
I have several examples where it was already fixed:
Jaeger: https://github.com/jaegertracing/jaeger/pull/5016 Grafana: https://github.com/grafana/grafana/issues/80316 ArgoCD: https://github.com/argoproj/argo-cd/issues/17020 Prometheus: https://github.com/prometheus/prometheus/issues/13512 And others
I understand that this causes certain inconveniences, and I apologize for that, but I had been required to address this particular vulnerability in the past month.
wu-sheng
commented
8 months ago @kezhenxu94 Could you take a look? I think this may be either from base image or a kind of CLI side issues.
wu-sheng
commented
8 months ago CLI fixed at https://github.com/apache/skywalking-cli/pull/199
kezhenxu94
commented
8 months ago If the UI also has the CVE, then swctl might not be the only source of the CVE, as UI doesn't have swctl in it
wu-sheng
commented
8 months ago Yes, I noticed that. I am not sure why UI could have this, maybe it is from default base Linux image? CLI has the version impact but maybe not the only source.
heyanlong
commented
8 months ago I see eclipse-temurin:11-jre is built based on ubuntu:22.04, using OpenSSH 8.9 as default ssh in ubuntu:22.04
wu-sheng
commented
8 months ago AFAIK, 11-jre image should be safe enough. https://hub.docker.com/layers/library/eclipse-temurin/11-jre/images/sha256-2a0e7b00897263d43b65f33962ca1299e6ce91a16c3dd09fbceff114d4c8c34a?context=explore
No high and critical issues. Our own side CLI has been removed from the next release.
We should be good now.
VladislavDubrovenski
commented
8 months ago Thank you for the quick remediation!
Search before asking
Apache SkyWalking Component
OAP server (apache/skywalking)
What happened
Good day,
The scanner flags CVE-2023-48795 in OAP and UI that I am required to fix to continue using this great project..
The skywalking is deployed using a helm chart.
More information: OAP:
UI:
What you expected to happen
No vulnerability found
How to reproduce
Install skywalking via helm chart
Anything else
No response
Are you willing to submit a pull request to fix on your own?
Code of Conduct