Closed anil-kumar-acquia closed 6 months ago
Packages are available at path: /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-td-1.2.0/Gemfile.lock
The Gemfile.lock you point out isn't used in actual. We use yajl-ruby-1.4.3 in actual. Please check /opt/td-agent/lib/ruby/gems/2.7.0/gems/yajl-ruby-1.4.1 doesn't exist, /opt/td-agent/lib/ruby/gems/2.7.0/gems/yajl-ruby-1.4.3 exists instead.
Found the below vulnerability while we are https://github.com/fluent/fluent-package-builder/releases/tag/v4.5.1
Package name: yajl-ruby-1.4.1 Severity: CRITICAL CVE IDs: CVE-2019-13224 CVE-2022-48174 CVE-2022-48565 CVE-2018-12892 CVE-2018-12892 CVE-2022-42889
Package name: fluentd-1.14.6 Severity: CRITICAL CVE IDs: CVE-2019-13224 CVE-2022-48174 CVE-2022-48565 CVE-2018-12892 CVE-2018-12892 CVE-2022-42889
Packages are available at path: /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-td-1.2.0/Gemfile.lock
I can see the fluent-plugin-td-1.2.0 is the latest available gem version, so we are looking for fixes for above CVEs as the severity level is Critical.
Reference for fluent-plugin-td gem: https://rubygems.org/gems/fluent-plugin-td/versions/1.2.0?locale=en