opensearch-project / logstash-output-opensearch

A Logstash plugin that sends event data to a OpenSearch clusters and stores as an index.
https://opensearch.org/docs/latest/clients/logstash/index/
Apache License 2.0
106 stars 80 forks source link

[BUG] #175

Closed deepagkanaka closed 8 months ago

deepagkanaka commented 2 years ago

Describe the bug Following security items exists in opensearchproject/logstash-oss-with-opensearch-output-plugin [8.4.0]

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Component | Version | CVE | Fixed in -- | -- | -- | -- bundler | 2.2.29 | CVE-2021-43809 |   org.yaml_snakeyaml | 1.3 | CVE-2022-25857 | 1.31 org.yaml_snakeyaml | 1.28 | CVE-2022-25857 | 1.31 org.yaml_snakeyaml | 1.18 | CVE-2017-18640 | 1.26 org.yaml_snakeyaml | 1.18 | CVE-2022-25857 | 1.31 com.fasterxml.jackson.core_jackson-databind | 2.9.10.8 | CVE-2020-36518 | 2.12.6.1, 2.13.2.1 io.netty_netty-all | 4.1.65 | CVE-2021-37136 | 4.1.68 io.netty_netty-all | 4.1.65 | CVE-2021-37137 | 4.1.68 com.google.code.gson_gson | 2.8.5 | CVE-2022-25647 | 2.8.9 go | 1.19 | CVE-2022-32190 |   go | 1.19 | CVE-2022-27664 | 1.19.1, 1.18.6

ryanpersaud commented 1 year ago

There are a number of vulnerable packages in this project, like the ones identified in this ticket.

Are there any plans to address these? If the intent is for folks to use this project in production environments, then it seems like vulnerable packages should be addressed at a regular cadence. I've sent a similar message to aws-security@amazon.com.

sshivanii commented 1 year ago

Hi @ryanpersaud ,

We are actively investigating these CVEs and since some of the dependencies in the CVEs are imported from the logstash-core directory we are expecting a release and fix in Logstash version 8.6.1.

It'll be really helpful if you can link to the vulnerable packages and dependencies you identified in the project, thanks.

ryanpersaud commented 1 year ago
Here are the packages, CVEs and fixed versions: Package Version CVE Fixed Version
com.fasterxml.jackson.core_jackson-databind 2.13.3 CVE-2022-42003 2.14.0
com.fasterxml.jackson.core_jackson-databind 2.13.3 CVE-2022-42004 2.13.4
com.fasterxml.jackson.core_jackson-databind 2.9.10.8 CVE-2020-36518 2.12.6.1, 2.13.2.1
com.fasterxml.jackson.core_jackson-databind 2.9.10.8 CVE-2022-42003 2.14.0
com.fasterxml.jackson.core_jackson-databind 2.9.10.8 CVE-2022-42004 2.13.4
com.google.code.gson_gson 2.8.5 CVE-2022-25647 2.8.9
derby 10.14.1.0 CVE-2018-1313 10.14.2.0
go 1.19 CVE-2022-27664 1.19.1, 1.18.6
go 1.19 CVE-2022-2879 1.19.2, 1.18.7
go 1.19 CVE-2022-2880 1.19.2, 1.18.7
go 1.19 CVE-2022-32190 1.18.6
go 1.19 CVE-2022-41715 1.19.2, 1.18.7
go 1.19 CVE-2022-41716 1.19.3, 1.18.8
go 1.19 CVE-2022-41717 1.19.4, 1.18.9
io.netty_netty-all 4.1.65 CVE-2021-37136 4.1.68
io.netty_netty-all 4.1.65 CVE-2021-37137 4.1.68
io.netty_netty-all 4.1.65 CVE-2021-43797 4.1.71
io.netty_netty-all 4.1.65 CVE-2022-24823 4.1.77
io.netty_netty-all 4.1.65 CVE-2022-41881 4.1.86
io.netty_netty-all 4.1.65 CVE-2022-41915 4.1.86
org.glassfish.jersey.core_jersey-common 2.33 CVE-2021-28168 3.0.2, 2.34
org.yaml_snakeyaml 1.18 CVE-2017-18640 1.26
org.yaml_snakeyaml 1.18 CVE-2022-25857 1.31
org.yaml_snakeyaml 1.18 CVE-2022-38749 1.31
org.yaml_snakeyaml 1.18 CVE-2022-38750 1.31
org.yaml_snakeyaml 1.18 CVE-2022-38751 1.31
org.yaml_snakeyaml 1.18 CVE-2022-38752 1.32
org.yaml_snakeyaml 1.18 CVE-2022-41854 1.32
org.yaml_snakeyaml 1.28 CVE-2022-25857 1.31
org.yaml_snakeyaml 1.28 CVE-2022-38749 1.31
org.yaml_snakeyaml 1.28 CVE-2022-38750 1.31
org.yaml_snakeyaml 1.28 CVE-2022-38751 1.31
org.yaml_snakeyaml 1.28 CVE-2022-38752 1.32
org.yaml_snakeyaml 1.28 CVE-2022-41854 1.32
org.yaml_snakeyaml 1.30 CVE-2022-1471 1.31
org.yaml_snakeyaml 1.30 CVE-2022-25857 1.31
org.yaml_snakeyaml 1.30 CVE-2022-38749 1.31
org.yaml_snakeyaml 1.30 CVE-2022-38750 1.31
org.yaml_snakeyaml 1.30 CVE-2022-38751 1.31
org.yaml_snakeyaml 1.30 CVE-2022-38752 1.32
org.yaml_snakeyaml 1.30 CVE-2022-41854 1.32
sshivanii commented 1 year ago

Thanks for the detailed response, @ryanpersaud We're verifying the new version of Logstash 8.6.1 which fixes all/most of the CVEs and post that we can release a new version of the output plugin with the fixes.

dblock commented 8 months ago

Closing, use newer versions of logstash.