search

elastic / logstash

Logstash - transport and process your logs, events, or other data
https://www.elastic.co/products/logstash
Other
14.17k stars 3.49k forks source link

CVE-2020-14001 Kramdown gem version #12199

Open calexander3 opened 4 years ago

calexander3 commented 4 years ago

It looks like the version of Kramdown that you are using has a security issue filed. Could you please update the version?

https://security-tracker.debian.org/tracker/CVE-2020-14001

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

yaauie commented 4 years ago

Note: kramdown is a transitive development dependency by way of logstash-devutils, and is not included in distributed packages.

calexander3 commented 4 years ago

Note: kramdown is a transitive development dependency by way of logstash-devutils, and is not included in distributed packages.

Does that mean that even though it is in the Gemfile.lock of the installed it is not actually present? I downloaded Logstash from here: https://artifacts.elastic.co/downloads/logstash/logstash-7.9.0.zip.

yaauie commented 4 years ago

The only reference to kramdown that is included in the distributed artifact is an adapter within tilt (not kramdown itself):

╭─{ yaauie@limbo:~/src/elastic/logstash (✘ master) }
╰─● unzip -l ~/Downloads/logstash-7.9.0.zip | grep kramdown                              
      514  08-12-2020 00:03   logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/tilt-2.0.10/lib/tilt/kramdown.rb
[success]
rbrayner commented 3 years ago

My pipeline has also failed when using trivy to inspect the following Logstash image: docker.elastic.co/logstash/logstash-oss , for both 7.9.2-SNAPSHOT and 8.0.0-SNAPSHOT .

image

brunocascio commented 3 years ago

My pipeline fails because now is CRITICAL image

I tried using 7.9.3 and 7.10.0 docker images

Joengenduvel commented 3 years ago

Same issue here. Looks like it needs to be fixed in tilt first, as @yaauie mentioned in https://github.com/elastic/logstash/issues/12199#issuecomment-686916763

I created on issue on the tilt repository as well: https://github.com/rtomayko/tilt/issues/358

flauflauf commented 3 years ago

@Joengenduvel The kramdown dependency does not come from tilt, but rather from logstash-devutils. I created an issue there.

I am still not sure whether this means that it is an issue for logstash as well or not. Is logstash-devutils only used within logstash's build, or is it present in the final image as well?

flauflauf commented 3 years ago

Looking inside the logstash image, logstash-devutils does not seem to be among the installed gems:

[root@f4a80e189b4a logstash]# gem list

*** LOCAL GEMS ***

bigdecimal (1.2.0)
io-console (0.4.2)
json (1.7.7)
psych (2.0.0)
rdoc (4.0.0)
[root@f4a80e189b4a logstash]# ls /usr/share/gems/gems/
bigdecimal-1.2.0  io-console-0.4.2  json-1.7.7  psych-2.0.0  rdoc-4.0.0

Does that mean logstash is unaffected by the CVE?

yaauie commented 3 years ago

Does that mean logstash is unaffected by the CVE?

Yes. As we have previously indicated, kramdown is not included in released Logstash packages and therefore releases of Logstash are not affected by the CVE. It shows up in the Gemfile.lock because it is a development dependency.

Note: kramdown is a transitive development dependency by way of logstash-devutils, and is not included in distributed packages.

dominik-ba commented 2 years ago

since this still comes up in security scans I wonder why you don't update the dev dependencies, too?