[Q&A] need VAPT report to use this app.

[teqoit]

Documentation & bug reporting acknowledgment

Yes, I read it

Describe your problem

we have done VAPT internally and its found some vulnerabilities.

and more

[g-bougard]

Hi @teqoit

joining a full text report would have been helpful, and maybe it would have include all the discovered issues.

For all the CVE you're showing here, all are related to OpenSSL which is OpenSSL 1.1.1i in our MSI package. It is really outdated and you should know next 1.8 version would no more use this outdated OpenSSL DLL. And our nightly builds are still using an up-to-date OpenSSL DLL (actually the 3.2.1 version) as actually I adapted the build process to be able to build ourself the OpenSSL DLL from source. So we can use the latest release as soon as possible.

An important point to know is by default OpenSSL in GLPI-Agent can only be used in a client context toward a well-known GLPI server if you configured your server parameter with an https url. This means most of that security problems won't affect you as you're running it in a trusted environment. You may be affected indeed if your GLPI server has been compromised and the attacker tries to compromise incoming SLL clients. This means you still have a big wall before somebody can try to compromise a windows GLPI-Agent.

Of course, as this is eventually possible, we need to figure out the problem and, as I said, this is still addressed for next version regarding OpenSSL as we will use the latest possible OpenSSL version. But have you in the report some other CVE not related to OpenSSL ?

Can you eventually provide a report for the latest nightly build ? Take it from there: https://nightly.glpi-project.org/glpi-agent/

[g-bougard]

In nightly builds, all the reported DLL libraries are still updated to latest version. Tell me if you find a problem with nightly builds, maybe related to zlib as your report seems to weirdly detect 2 zlib versions.

Only 7zip is not already updated.

[teqoit]

i have got the report for attached nightly build also.

In that Some outdated components were found during the scan. Also, Medium and Low ratings susceptible components found during the scan, it should not be used in our network. In addition, a non-compliant copyleft license is being used.
However, in case of a dependency, Use the software in an isolated system (Which is not in our network).

[g-bougard]

About zlib-1.2.11, we don't embed it in our MSI packaging. Even CVE-2023-6992 tells this CVE is related to CloudFlare zlib version... I don't know where it can come from. Maybe this is a glitch of your tool or maybe it is included by Wix Toolset, but I don't see why it would do so.
Then I would like to know where it finds that DLL in our MSI package.

I still can tell you this dll is surely not installed with the agent after a successful install.

In addition, a non-compliant copyleft license is being used.

Don't you have more detailed information on that detected problem ?

Also, Medium and Low ratings susceptible components found during the scan, it should not be used in our network.

And what could be these components ?

Anyway does your tool provide a detailed text report ?
This would really be more convenient to work with. You can send it privately by email if you want: gbougard <at> teclib <dot> com

[teqoit]

i have sent an email. i dont have text report. PDF file attached

[g-bougard]

Hi @teqoit

the provided report are missing detailed datas. And so I can't answer to these 2 questions:

• where does it find this zlib-1.2.11 in nightly builds ?
• what are these licensing issues ?

Have you update the report running this tool on latest nightly build which includes 7zip update ?

[teqoit]

any update?

[g-bougard]

Hi @teqoit

glpi-agent 1.8 was released last week and fixes most of your concerns. Anyway, some issues was reported regarding ssl support and as now it is fixed in nightly builds, I can understand how your VAPT tool reported was able to report zlib 1.2.11 was used.

So can you use your tool on latest nightly build ?

About the licensing issues, I still require more details.