search

fluent / fluent-package-builder

td-agent (Fluentd) Building and Packaging System
Apache License 2.0
21 stars 23 forks source link

Vulnerabilities in yajl-ruby-1.4.1 & fluentd-1.14.6 package of fluent-plugin-td-1.2.0 #608

Closed anil-kumar-acquia closed 6 months ago

anil-kumar-acquia commented 6 months ago

Found the below vulnerability while we are https://github.com/fluent/fluent-package-builder/releases/tag/v4.5.1

Package name: yajl-ruby-1.4.1 Severity: CRITICAL CVE IDs: CVE-2019-13224 CVE-2022-48174 CVE-2022-48565 CVE-2018-12892 CVE-2018-12892 CVE-2022-42889

Package name: fluentd-1.14.6 Severity: CRITICAL CVE IDs: CVE-2019-13224 CVE-2022-48174 CVE-2022-48565 CVE-2018-12892 CVE-2018-12892 CVE-2022-42889

Packages are available at path: /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-td-1.2.0/Gemfile.lock

I can see the fluent-plugin-td-1.2.0 is the latest available gem version, so we are looking for fixes for above CVEs as the severity level is Critical.

Reference for fluent-plugin-td gem: https://rubygems.org/gems/fluent-plugin-td/versions/1.2.0?locale=en

ashie commented 6 months ago

Packages are available at path: /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-td-1.2.0/Gemfile.lock

The Gemfile.lock you point out isn't used in actual. We use yajl-ruby-1.4.3 in actual. Please check /opt/td-agent/lib/ruby/gems/2.7.0/gems/yajl-ruby-1.4.1 doesn't exist, /opt/td-agent/lib/ruby/gems/2.7.0/gems/yajl-ruby-1.4.3 exists instead.