Open JonahLuckett opened 1 year ago
Currently working on the fix for this - waiting to be assigned to the issue by someone with the relevant permissions
@mashhurs @jsvd
Resolved with https://github.com/elastic/logstash/pull/15125
Amazing news! @mashhurs Do you know if this went out with 8.8.2 or if it is planned for 8.8.3+
@JonahLuckett CVE-2022-1471 is still present in 8.8.2
Edit: 8.10 version (hopefully release soon) will be less affected version includes this change.
@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case?
@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case?
Sorry for confusion, updated the release note (https://github.com/elastic/logstash/pull/15221), web page update will be reflected soon.
@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!
@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!
@mseiler90 Logstash core updated snakeyaml
in 8.10.x versions. Can you show me the output of your scanner or the way you figure out that snakeyaml
didn't get updated.
@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!
@mseiler90 Logstash core updated
snakeyaml
in 8.10.x versions. Can you show me the output of your scanner or the way you figure out thatsnakeyaml
didn't get updated.
Here are two screehsots showing the vulnerability along with some others and a screenshot of the labels to show that it is 8.10.2. This is from Prisma Compute (Twistlock). We also see it in Azure Defender.
@mashhurs any thoughts on this? I do see in the build.gradle that 2.0 is explicitly set, but the image scanning tools still seem to think otherwise for me. Do happen to have any insight into the other vulnerabilities being addressed as well? Thanks for your help.
After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed https://github.com/logstash-plugins/logstash-filter-useragent/pull/89 and I'm assuming Logstash 8.10.3 will include this updated jar?
After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed logstash-plugins/logstash-filter-useragent#89 and I'm assuming Logstash 8.10.3 will include this updated jar?
Yes, filter-useragent
changes will reflect in 8.10.3.
The screenshot you showed in your previous comment shows the JARs but doesn't shows the full path. Can you let me know where those JARs located? I am also assuming it is in useragent
plugin JAR but not 100% sure.
Unfortunately that tool isn't showing the the actual jar that the vulnerabilities are in. Our company proxies images through JFrog Artifactory, and using that I reviewed the Xray scan and found the snakeyaml vulnerability in the useragent jar. The other vulnerabilities appear to be in the main jar as the paths are not indicating any other jar like the snakeyaml vulnerability.
@mashhurs I've updated to 8.11.1 and I can see that snakeyaml 1.33 is still present in logstash/logstash-core/lib/jars/snakeyaml-1.33.jar
Description
The release of
SnakeYAML 2.0
resolves CVE-2022-1471 - currently Logstash is usingSnakeYAML 1.33
Currently a clean bump to 2.0 results in the following error taken from this comment:
Concerns raised that will be covered by the fix to this work:
Relevant documentation