search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 107 forks source link

SC4S contains curl CVEs #2246

Closed zyphermonkey closed 10 months ago

zyphermonkey commented 10 months ago

These paths are all wonky because there coming from the host OS into the podman storage overlay, but I hope they're still helpful.

[MEDIUM] libcurl 7.9.1 < 8.4.0 Cookie Injection (182873) CVE-2023-38546

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38546

  Path              : /var/lib/containers/storage/overlay/fd02c305ec5de0d43d9496635c81f068f72b2f51720fdc9c0fbe5d481ecdd80b/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/b4e347eee7c876da2779518fb5010b891a329a5075a04508e6adaaa51ce306b6/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/afb34bb726ea187a9a7d50f337a6c4ca5b19c8f305da4ba7faf765b7390c85cd/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/a0d7da771407d75b06aedd55c5cde56475069f13730fb52c064c323cff53cea4/diff/usr/lib/libcurl.so.4.8.0
  Installed version : 8.3.0
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/cc5832ba78c7653bfdc4aa51c91eeffaa4f4c80f98b3c5adaf723c630c91d28f/merged/usr/lib/libcurl.so.4.8.0
  Installed version : 8.3.0
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/9f5eb19c4710958b8cf6dcca5dc95dee1b89ccded24f9f892d1b87295f787a76/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/969a314a7e27425381e152600faab6954cc097a0606a641e76b9d05b2f4b3649/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/352ba846236b2af884cab10c53aa37d82bba9d9fb0f8797d5af211ccf317e236/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/27816a545a374258c2a50f68aaf3efeb226ebb2529b11e47477e552726d730be/diff/usr/lib/libcurl.so.4.8.0
  Installed version : 8.2.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/04e737e5a152354338cd3faa8eeed6a698c8f0022d27a38364cc5ccb7b9ccf07/diff/usr/lib64/libcurl.so.4.5.0
  Installed version : 7.61.1
  Fixed version     : 8.4.0

[HIGH] libcurl 7.69 < 8.4.0 Heap Buffer Overflow (182874) CVE-2023-38545

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38545

  Path              : /var/lib/containers/storage/overlay/a0d7da771407d75b06aedd55c5cde56475069f13730fb52c064c323cff53cea4/diff/usr/lib/libcurl.so.4.8.0
  Installed version : 8.3.0
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/27816a545a374258c2a50f68aaf3efeb226ebb2529b11e47477e552726d730be/diff/usr/lib/libcurl.so.4.8.0
  Installed version : 8.2.1
  Fixed version     : 8.4.0

[HIGH] Curl 7.69 < 8.4.0 Heap Buffer Overflow (182875) CVE-2023-38545

  Path              : /var/lib/containers/storage/overlay/f70bbc7f20e1e13e55f0257df26bb15ef7288b5ffa8c8b42461c5d0f3e27ff9e/diff/usr/bin/curl
  Installed version : 8.2.1
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/a0d7da771407d75b06aedd55c5cde56475069f13730fb52c064c323cff53cea4/diff/usr/bin/curl
  Installed version : 8.3.0
  Fixed version     : 8.4.0

  Path              : /var/lib/containers/storage/overlay/cc5832ba78c7653bfdc4aa51c91eeffaa4f4c80f98b3c5adaf723c630c91d28f/merged/usr/bin/curl
  Installed version : 8.3.0
  Fixed version     : 8.4.0
ikheifets-splunk commented 10 months ago

@zyphermonkey we released new version of sc4s 3.5.0, it should be fixed after this PR