kubasobon
commented
6 months ago Closed kubasobon closed 6 months ago
kubasobon
commented
6 months ago kubasobon
commented
6 months ago Cloudbeat binary does not link xz or lzma. In fact, it does not link any system libaries.
~ env CGO_ENABLED=1 go build .
~ objdump -p ./cloudbeat | grep -i 'needed'
~ otool -L /Users/kuba/Work/cloudbeat/cloudbeat
/Users/kuba/Work/cloudbeat/cloudbeat:
/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 2420.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1345.100.2)
/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 61123.100.169)Cloudbeat's docker container is based on latest Debian version:
~ docker run --entrypoint /bin/bash -it cloudbeat:latest
root@ee0b21788d2c:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"It comes with liblzma v5.4.1 installed, but no xz-utils.
~ docker run --entrypoint /bin/bash -it cloudbeat:latest
root@e2a92ff89ec9:/# apt list --installed | grep lzma
liblzma5/stable,now 5.4.1-0.2 arm64 [installed,automatic]
root@e2a92ff89ec9:/# xz
bash: xz: command not foundA few Golang libraries used by Cloudbeat require github.com/ulikunitz/xz v0.5.11, which is why it is an indirect dependency. However, as per maintainers' update, the Golang library does not share any code, files, or vulnerabilities of the original xz. It is simply a Golang re-implementation of the compression algorithm.
Quote from the README:
The software is not affected by the supply chain attack on the original xz implementation, CVE-2024-3094. This implementation doesn't share any files with the original xz implementation and no patches or pull requests are accepted without a review.
Dependencies relying on github.com/ulikunitz/xz:
~ go mod graph | grep 'ulikunitz/xz'
github.com/elastic/cloudbeat github.com/ulikunitz/xz@v0.5.11
github.com/aquasecurity/trivy@v0.48.3 github.com/ulikunitz/xz@v0.5.11
github.com/aquasecurity/trivy-iac@v0.7.1 github.com/ulikunitz/xz@v0.5.10
github.com/hashicorp/go-getter@v1.7.2 github.com/ulikunitz/xz@v0.5.10
github.com/sigstore/rekor@v1.2.2 github.com/ulikunitz/xz@v0.5.11
github.com/elastic/elastic-package@v0.77.0 github.com/ulikunitz/xz@v0.5.11
github.com/mholt/archiver/v3@v3.5.1 github.com/ulikunitz/xz@v0.5.9
github.com/dsnet/compress@v0.0.2-0.20210315054119-f66993602bf5 github.com/ulikunitz/xz@v0.5.8Based on the above investigation, I am happy to conclude Cloudbeat binary and Docker image are NOT affected by CVE-2024-3094.
Towards https://github.com/elastic/security/issues/2039
Description
Malicious code was discovered in the upstream tarballs of xz, for versions 5.6.0 and 5.6.1. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. Affected Versions
Does not affect versions before 5.6.0