search

graylog-labs / gelf-rb

Ruby GELF library (Graylog Extended Log Format)
https://rubygems.org/gems/gelf
MIT License
153 stars 104 forks source link

Critical security vulnerability in gelf dependencies #88

Open bartoszkomin opened 4 years ago

bartoszkomin commented 4 years ago

Hello, we are using dockerized fluentd with fluent-plugin-gelf-hs which use also gelf-rb. Our vulnerability scaner found CRITICAL: 2, MEDIUM: 21 and HIGH: 7 in gelf-3.1.0. Can we kindly ask to upgrade dependencies to the new secure versions?

Steps to reproduce the issue: 1) build docker image with Dockerfile

FROM fluent/fluentd:v1.7.4-1.0

# Use root account to use apk
USER root

# below RUN includes plugin as examples elasticsearch is not required
# you may customize including plugins as you wish
RUN apk add --no-cache --update --virtual .build-deps \
        sudo build-base ruby-dev \
 && apk add -U tzdata \
 && sudo gem install fluent-plugin-gelf-hs \
 && sudo gem sources --clear-all \
 && apk del .build-deps \
 && rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems/*/cache/*.gem

USER fluent

and build command docker build . -t fluentd-gelf

2) scan image with dockerized trivy

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/cache:/root/.cache/ aquasec/trivy fluentd-gelf

Scan result for gelf is:

usr/lib/ruby/gems/2.5.0/gems/gelf-3.1.0/Gemfile.lock
====================================================
Total: 32 (UNKNOWN: 2, LOW: 0, MEDIUM: 21, HIGH: 7, CRITICAL: 2)

+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |        FIXED VERSION         |             TITLE              |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| json     | CVE-2013-0269    | HIGH     | 1.8.6-java        | >= 1.7.7                     | rubygem-json: Denial of        |
|          |                  |          |                   |                              | Service and SQL Injection      |
+          +                  +          +                   +------------------------------+                                +
|          |                  |          |                   | ~> 1.5.5, ~> 1.6.8, >= 1.7.7 |                                |
|          |                  |          |                   |                              |                                |
+          +------------------+----------+                   +------------------------------+--------------------------------+
|          | OSVDB-101157     | UNKNOWN  |                   | >= 1.1.0                     | json Gem for Ruby Data         |
|          |                  |          |                   |                              | Handling Stack Buffer Overflow |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| nokogiri | CVE-2016-4658    | CRITICAL | 1.6.8-java        | >= 1.7.1                     | libxml2: Use after free via    |
|          |                  |          |                   |                              | namespace node in XPointer     |
|          |                  |          |                   |                              | ranges                         |
+          +                  +          +-------------------+                              +                                +
|          |                  |          | 1.6.8             |                              |                                |
|          |                  |          |                   |                              |                                |
|          |                  |          |                   |                              |                                |
+          +------------------+----------+-------------------+------------------------------+--------------------------------+
|          | CVE-2019-5477    | HIGH     | 1.6.8-java        | >= 1.10.4                    | Rexical Command Injection      |
|          |                  |          |                   |                              | Vulnerability                  |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2019-11068   |          |                   | >= 1.10.3                    | libxslt: xsltCheckRead and     |
|          |                  |          |                   |                              | xsltCheckWrite routines        |
|          |                  |          |                   |                              | security bypass by crafted URL |
+          +                  +          +-------------------+                              +                                +
|          |                  |          | 1.6.8             |                              |                                |
|          |                  |          |                   |                              |                                |
|          |                  |          |                   |                              |                                |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2015-5312    |          | 1.6.8-java        | >= 1.6.7.1                   | libxml2: CPU exhaustion when   |
|          |                  |          |                   |                              | processing specially crafted   |
|          |                  |          |                   |                              | XML input                      |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2019-5477    |          | 1.6.8             | >= 1.10.4                    | Rexical Command Injection      |
|          |                  |          |                   |                              | Vulnerability                  |
+          +------------------+----------+-------------------+------------------------------+--------------------------------+
|          | CVE-2015-8806    | MEDIUM   | 1.6.8-java        | >= 1.6.8                     | libxml2: heap-buffer overread  |
|          |                  |          |                   |                              | in dict.c                      |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2019-13117   |          | 1.6.8             | >= 1.10.5                    | libxslt: an xsl number with    |
|          |                  |          |                   |                              | certain format strings could   |
|          |                  |          |                   |                              | lead to a...                   |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2018-8048    |          |                   | >= 1.8.3                     | rubygem-loofah: XSS            |
|          |                  |          |                   |                              | vulnerability due to unescaped |
|          |                  |          |                   |                              | comments within attributes by  |
|          |                  |          |                   |                              | libxml2                        |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2015-1819    |          | 1.6.8-java        | ~> 1.6.6.4, >= 1.6.7.rc4     | libxml2: denial of service     |
|          |                  |          |                   |                              | processing a crafted XML       |
|          |                  |          |                   |                              | document                       |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2018-14404   |          | 1.6.8             | >= 1.8.5                     | libxml2: NULL pointer          |
|          |                  |          |                   |                              | dereference in                 |
|          |                  |          |                   |                              | xpath.c:xmlXPathCompOpEval()   |
|          |                  |          |                   |                              | can allow attackers to cause   |
|          |                  |          |                   |                              | a...                           |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2015-7499    |          | 1.6.8-java        | >= 1.6.7.2                   | libxml2: Heap-based buffer     |
|          |                  |          |                   |                              | overflow in xmlGROW            |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-9050    |          | 1.6.8             | >= 1.8.1                     | libxml2: Heap-based buffer     |
|          |                  |          |                   |                              | over-read in function          |
|          |                  |          |                   |                              | xmlDictAddString               |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-5029    |          |                   | >= 1.7.2                     | chromium-browser: integer      |
|          |                  |          |                   |                              | overflow in libxslt            |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-15412   |          | 1.6.8-java        | >= 1.8.2                     | chromium-browser: use after    |
|          |                  |          |                   |                              | free in libxml                 |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-16932   |          |                   | >= 1.8.1                     | libxml2: Infinite recursion in |
|          |                  |          |                   |                              | parameter entities             |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-5029    |          |                   | >= 1.7.2                     | chromium-browser: integer      |
|          |                  |          |                   |                              | overflow in libxslt            |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2017-9050    |          |                   | >= 1.8.1                     | libxml2: Heap-based buffer     |
|          |                  |          |                   |                              | over-read in function          |
|          |                  |          |                   |                              | xmlDictAddString               |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2018-14404   |          |                   | >= 1.8.5                     | libxml2: NULL pointer          |
|          |                  |          |                   |                              | dereference in                 |
|          |                  |          |                   |                              | xpath.c:xmlXPathCompOpEval()   |
|          |                  |          |                   |                              | can allow attackers to cause   |
|          |                  |          |                   |                              | a...                           |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2018-8048    |          |                   | >= 1.8.3                     | rubygem-loofah: XSS            |
|          |                  |          |                   |                              | vulnerability due to unescaped |
|          |                  |          |                   |                              | comments within attributes by  |
|          |                  |          |                   |                              | libxml2                        |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-16932   |          | 1.6.8             | >= 1.8.1                     | libxml2: Infinite recursion in |
|          |                  |          |                   |                              | parameter entities             |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2019-13117   |          | 1.6.8-java        | >= 1.10.5                    | libxslt: an xsl number with    |
|          |                  |          |                   |                              | certain format strings could   |
|          |                  |          |                   |                              | lead to a...                   |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2017-15412   |          | 1.6.8             | >= 1.8.2                     | chromium-browser: use after    |
|          |                  |          |                   |                              | free in libxml                 |
+          +------------------+          +-------------------+------------------------------+--------------------------------+
|          | CVE-2013-6460    |          | 1.6.8-java        | ~> 1.5.11, >= 1.6.1          | rubygem-nokogiri: DoS while    |
|          |                  |          |                   |                              | parsing XML documents          |
+          +------------------+          +                   +                              +--------------------------------+
|          | CVE-2013-6461    |          |                   |                              | rubygem-nokogiri: DoS while    |
|          |                  |          |                   |                              | parsing XML entities           |
+          +------------------+          +                   +------------------------------+--------------------------------+
|          | CVE-2012-6685    |          |                   | >= 1.5.4                     | rubygem-nokogiri: XML eXternal |
|          |                  |          |                   |                              | Entity (XXE) flaw              |
+          +------------------+----------+                   +------------------------------+--------------------------------+
|          | OSVDB-118481     | UNKNOWN  |                   | >= 1.6.3                     | Nokogiri Gem for JRuby XML     |
|          |                  |          |                   |                              | Document Root Element Handling |
|          |                  |          |                   |                              | Memory Consumption Remote DoS  |
|          |                  |          |                   |                              | ...                            |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+
| rack     | CVE-2018-16471   | MEDIUM   | 1.6.4             | ~> 1.6.11, >= 2.0.6          | rubygem-rack: Cross-site       |
|          |                  |          |                   |                              | scripting (XSS) via `scheme`   |
|          |                  |          |                   |                              | method on `Rack::Request`      |
+----------+------------------+----------+-------------------+------------------------------+--------------------------------+

Thank you.

ChristianWeissCG commented 4 years ago

Thanks for the report, i hope it will be fixed fast.