Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker image 7.38.0-jmx has critical vulnerability CVE-2022-1996 #12877

Closed
tarys opened this issue Jul 26, 2022 · 2 comments
Closed

Docker image 7.38.0-jmx has critical vulnerability CVE-2022-1996 #12877

tarys opened this issue Jul 26, 2022 · 2 comments
Labels
invalid

Comments

@tarys
Copy link

tarys commented Jul 26, 2022

Steps to reproduce the issue:

trivy image --severity CRITICAL datadog/agent:7.38.0-jmx

Output:

...
opt/datadog-agent/bin/agent/agent (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

opt/datadog-agent/embedded/bin/process-agent (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

opt/datadog-agent/embedded/bin/security-agent (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

opt/datadog-agent/embedded/bin/system-probe (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

opt/datadog-agent/embedded/bin/trace-agent (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Describe what happened:
Trivy scan reports critical vulnerability

Describe what you expected:
Trivy scan reports no critical vulnerabilities

Additional environment details (Operating System, Cloud provider, etc):
N/A
@tarys
Copy link
Author

tarys commented Jul 26, 2022
edited
Loading

If I got it right, currently used version of go-restful lib is 2.16.0:
https://github.com/DataDog/datadog-agent/blob/7.38.0/go.mod#L253

@sgnn7 sgnn7 added the invalid label Jul 26, 2022
@sgnn7
Copy link
Contributor

sgnn7 commented Jul 26, 2022

Hi @tarys!
As far as I know, this finding is not applicable to go-restful v2.16+ (relevant agent PR). You can see the fix in go-restful's 2.16.0's tag upstream history that includes the use exact matching of allowed domain entries commit. My guess is just that the scan tools don't currently have the latest fix ranges of versions.

I'll close this issue for now as it seems invalid but feel free to reopen it if you feel otherwise.

@sgnn7 sgnn7 closed this as completed Jul 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sgnn7 @tarys