Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Image vulnerablities #235

Open
jin-ahn opened this issue Nov 2, 2022 · 18 comments
Open

Image vulnerablities #235

jin-ahn opened this issue Nov 2, 2022 · 18 comments
Labels

Comments

@jin-ahn
Copy link

jin-ahn commented Nov 2, 2022

The latest (4.3.9) docker image of graylog has 6 critical and 73 high vulnerabilities related to apache, minidev, fasterxml, netty, etc. Can we get these patched?

image

@justingood
Copy link

4.3.9 is also running an older version of openssl (3.0.2) affected by the recent advisory

@coffee-squirrel
Copy link

coffee-squirrel commented Nov 3, 2022

4.3.9 is also running an older version of openssl (3.0.2) affected by the recent advisory

The 4.3.9 images have packages openssl and libssl3 @ 3.0.2-0ubuntu1.7, which has the fix.

@jin-ahn
Copy link
Author

jin-ahn commented Nov 3, 2022

@coffee-squirrel are there plans to patch the other vulnerabilites i have shown?

@coffee-squirrel
Copy link

@jin-ahn I'm not with Graylog, so I don't know.

It seems most/all of those are related to "Graylog the Java app" versus the container image, so you might get more traction by following the process mentioned at https://github.com/Graylog2/graylog2-server/blob/master/SECURITY.md.

@kroepke
Copy link
Member

kroepke commented Nov 7, 2022

Hi!

Sorry for the delay:
The critical shiro-related issues don't apply to Graylog, but we will still look at updating the library.
The quartz one also doesn't apply, while it is shipped through another dependency, Graylog doesn't use the scheduling functions the vulnerability is about.

For Graylog 5.0 (in beta right now) we are updating Jackson and Netty, which should address those issues. Unfortunately, those are quite involved to backport, so we will most likely not bump the version in 4.3.
Furthermore, Graylog doesn't use snappy in any user-facing form, so the vulnerability also doesn't apply.

I'll leave this open until we are closing some internal issues that are pointing here. Thanks!

@bernd bernd added the triaged label Nov 7, 2022
@jin-ahn
Copy link
Author

jin-ahn commented Nov 29, 2022

Hi, just thought I'd give an update. I've checked the latest 5.0 rc2 image for vulnerabilities. and although there is an improvement the critical ones still remain. I understand that they don't necessarily apply to graylog, but if it's a low-hanging fruit, it would be great for our usage to have the libraries updated.

image

@jin-ahn
Copy link
Author

jin-ahn commented Jan 5, 2023

Hi @kroepke, just to confirm - are their still plans to patch the remaining vulnerabilites? Or are we leaving them alone?

image

@jin-ahn
Copy link
Author

jin-ahn commented Feb 7, 2023

Most recent update of 5.0.3 is vastly improved. Just 1 critical vulnerability remaining. Need to update json-smart to 2.4.1

image

@jin-ahn
Copy link
Author

jin-ahn commented Mar 7, 2023

New vulnerablities have come out that impact graylog image. I know the shiro-core doesn't apply but there are others
image

@Jeffrey778
Copy link

Hi, I notice there are updates to fix the vulnerablities, can someone also build a image and push to hub? Thanks.
image

@bernd
Copy link
Member

bernd commented Apr 13, 2023

@Jeffrey778 The fixed will be part of the next stable release (5.0.7) that ships beginning of May.

UPDATE: We will only backport fixes for security issues that affect Graylog.

@jin-ahn
Copy link
Author

jin-ahn commented Apr 20, 2023

Hi. 5.0.6 also has new vulnerablities related to org.quartz-scheduler and org.yaml:snakeyaml

https://nvd.nist.gov/vuln/detail/CVE-2019-13990

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

image

@jin-ahn
Copy link
Author

jin-ahn commented May 16, 2023

5.0.7 has 6 critical and 11 high vulnerabilities
image

@jin-ahn
Copy link
Author

jin-ahn commented May 17, 2023

5.1.0 has vulnerabilites that are high and critical
image

@jin-ahn
Copy link
Author

jin-ahn commented May 17, 2023

@bernd could you comment on whether or not there are plans to patch these?

@jin-ahn
Copy link
Author

jin-ahn commented May 31, 2023

5.1.1 still has same vulnerabilities. @bernd
image

@jin-ahn
Copy link
Author

jin-ahn commented Aug 29, 2023

5.1.2 has more vulnerabilities
image

@jin-ahn
Copy link
Author

jin-ahn commented Nov 1, 2023

5.2.0 Vulnerabilities
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants