Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identified 25 vulnerabilities in datadog agent 7.47.0 #19181

Closed
sheffrong123 opened this issue Sep 2, 2023 · 1 comment
Closed

Identified 25 vulnerabilities in datadog agent 7.47.0 #19181

sheffrong123 opened this issue Sep 2, 2023 · 1 comment

Comments

@sheffrong123
Copy link

We are currently using Datadog Agent version 7.47.0, and we've identified 25 vulnerabilities in our environment using "docker scout cves" for scanning. Could you please assist us in addressing and remediating these vulnerabilities?

Thank you for your help.

% docker scout cves test
INFO New version 0.24.0 available (installed version is 0.16.1)
✓ SBOM of image already cached, 894 packages indexed
✗ Detected 18 vulnerable packages with a total of 25 vulnerabilities

0C 0H 2M 0L 1? in-toto 1.0.1
pkg:pypi/in-toto@1.0.1

✗ MEDIUM CVE-2023-32076 [External Control of System or Configuration Setting]
  https://scout.docker.com/v/CVE-2023-32076
  Affected range : <=1.4.0                                       
  Fixed version  : 2.0.0                                         
  CVSS Score     : 5.5                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  

✗ MEDIUM GHSA-jjgp-whrp-gq8m [Improper Certificate Validation]
  https://scout.docker.com/v/GHSA-jjgp-whrp-gq8m
  Affected range : <=1.4.0    
  Fixed version  : not fixed  

✗ UNSPECIFIED GMS-2023-1442 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2023-1442
  Affected range : <=1.4.0    
  Fixed version  : not fixed

0C 0H 1M 1L aws-sdk-go 1.44.171
pkg:golang/github.com/aws/aws-sdk-go@1.44.171

✗ MEDIUM CVE-2020-8911
  https://scout.docker.com/v/CVE-2020-8911
  Affected range : >=0        
  Fixed version  : not fixed  

✗ LOW CVE-2020-8912
  https://scout.docker.com/v/CVE-2020-8912
  Affected range : >=0        
  Fixed version  : not fixed

0C 0H 1M 1L krb5 1.19.2-2ubuntu0.2
pkg:deb/ubuntu/krb5@1.19.2-2ubuntu0.2?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ MEDIUM CVE-2023-36054
  https://scout.docker.com/v/CVE-2023-36054
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 6.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H  

✗ LOW CVE-2018-5709
  https://scout.docker.com/v/CVE-2018-5709
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 7.5                                           
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0C 0H 1M 0L procps 2:3.3.17-6ubuntu2
pkg:deb/ubuntu/procps@2:3.3.17-6ubuntu2?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ MEDIUM CVE-2023-4016
  https://scout.docker.com/v/CVE-2023-4016
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 5.5                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0C 0H 1M 0L net 0.11.0
pkg:golang/golang.org/x/net@0.11.0

✗ MEDIUM CVE-2023-3978
  https://scout.docker.com/v/CVE-2023-3978
  Affected range : <0.13.0  
  Fixed version  : 0.13.0

0C 0H 1M 0L redis 4.6.0
pkg:pypi/redis@4.6.0

✗ MEDIUM CVE-2023-28859
  https://scout.docker.com/v/CVE-2023-28859
  Affected range : <5.0.0b1  
  Fixed version  : 5.0.0b1

0C 0H 1M 0L rekor 1.1.1
pkg:golang/github.com/sigstore/rekor@1.1.1

✗ MEDIUM CVE-2023-33199 [Reachable Assertion]
  https://scout.docker.com/v/CVE-2023-33199
  Affected range : <1.2.0                                        
  Fixed version  : 1.2.0                                         
  CVSS Score     : 5.3                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0C 0H 1M 0L stdlib 1.20.6
pkg:golang/stdlib@1.20.6

✗ MEDIUM CVE-2023-29409
  https://scout.docker.com/v/CVE-2023-29409
  Affected range : >=1.20.0-0  
                 : <1.20.7     
  Fixed version  : 1.20.7

0C 0H 1M 0L perl 5.34.0-3ubuntu1.2
pkg:deb/ubuntu/perl@5.34.0-3ubuntu1.2?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ MEDIUM CVE-2022-48522
  https://scout.docker.com/v/CVE-2022-48522
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 9.8                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0C 0H 0M 2L 2? cryptography 39.0.1
pkg:pypi/cryptography@39.0.1

✗ LOW GHSA-jm77-qphf-c4w8
  https://scout.docker.com/v/GHSA-jm77-qphf-c4w8
  Affected range : >=0.8    
                 : <41.0.3  
  Fixed version  : 41.0.3   

✗ LOW GHSA-5cpq-8wj7-hf2v
  https://scout.docker.com/v/GHSA-5cpq-8wj7-hf2v
  Affected range : >=0.5     
                 : <=40.0.2  
  Fixed version  : 41.0.0    

✗ UNSPECIFIED GMS-2023-1898 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2023-1898
  Affected range : >=0.8    
                 : <41.0.3  
  Fixed version  : 41.0.3   

✗ UNSPECIFIED GMS-2023-1778 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2023-1778
  Affected range : >=0.5     
                 : <=40.0.2  
  Fixed version  : 41.0.0

0C 0H 0M 1L bash 5.1-6ubuntu1
pkg:deb/ubuntu/bash@5.1-6ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2022-3715
  https://scout.docker.com/v/CVE-2022-3715
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 7.8                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0C 0H 0M 1L openssl 3.0.2-0ubuntu1.10
pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.10?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2023-2975
  https://scout.docker.com/v/CVE-2023-2975
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 5.3                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0C 0H 0M 1L gnupg2 2.2.27-3ubuntu2.1
pkg:deb/ubuntu/gnupg2@2.2.27-3ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2022-3219
  https://scout.docker.com/v/CVE-2022-3219
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 3.3                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

0C 0H 0M 1L coreutils 8.32-4.1ubuntu1
pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2016-2781
  https://scout.docker.com/v/CVE-2016-2781
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 6.5                                           
  CVSS Vector    : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

0C 0H 0M 1L pcre3 2:8.39-13ubuntu0.22.04.1
pkg:deb/ubuntu/pcre3@2:8.39-13ubuntu0.22.04.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2017-11164
  https://scout.docker.com/v/CVE-2017-11164
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 7.5                                           
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0C 0H 0M 1L shadow 1:4.8.1-2ubuntu2.1
pkg:deb/ubuntu/shadow@1:4.8.1-2ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2023-29383
  https://scout.docker.com/v/CVE-2023-29383
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 3.3                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0C 0H 0M 1L libzstd 1.4.8+dfsg-3build1
pkg:deb/ubuntu/libzstd@1.4.8+dfsg-3build1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2022-4899
  https://scout.docker.com/v/CVE-2022-4899
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 7.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0C 0H 0M 1L glibc 2.35-0ubuntu3.1
pkg:deb/ubuntu/glibc@2.35-0ubuntu3.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2016-20013
  https://scout.docker.com/v/CVE-2016-20013
  Affected range : >=0                                           
  Fixed version  : not fixed                                     
  CVSS Score     : 7.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

25 vulnerabilities found in 18 packages
UNSPECIFIED 3
LOW 12
MEDIUM 10
HIGH 0
CRITICAL 0
@L3n41c
Copy link
Member

L3n41c commented Sep 8, 2023

Hello @sheffrong123 !

Thank you very much for your detailed report.
Here is the analysis of the vulnerabilities you reported:

0C 0H 2M 0L 1? in-toto 1.0.1
pkg:pypi/in-toto@1.0.1

✗ MEDIUM CVE-2023-32076 [External Control of System or Configuration Setting]
  https://scout.docker.com/v/CVE-2023-32076
  Affected range : <=1.4.0
  Fixed version  : 2.0.0
  CVSS Score     : 5.5
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

✗ MEDIUM GHSA-jjgp-whrp-gq8m [Improper Certificate Validation]
  https://scout.docker.com/v/GHSA-jjgp-whrp-gq8m
  Affected range : <=1.4.0
  Fixed version  : not fixed

✗ UNSPECIFIED GMS-2023-1442 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2023-1442
  Affected range : <=1.4.0
  Fixed version  : not fixed

Fixed by DataDog/integrations-core#15667.

0C 0H 1M 1L aws-sdk-go 1.44.171
pkg:golang/github.com/aws/aws-sdk-go@1.44.171

✗ MEDIUM CVE-2020-8911
  https://scout.docker.com/v/CVE-2020-8911
  Affected range : >=0
  Fixed version  : not fixed

✗ LOW CVE-2020-8912
  https://scout.docker.com/v/CVE-2020-8912
  Affected range : >=0
  Fixed version  : not fixed

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 1M 1L krb5 1.19.2-2ubuntu0.2
pkg:deb/ubuntu/krb5@1.19.2-2ubuntu0.2?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ MEDIUM CVE-2023-36054
  https://scout.docker.com/v/CVE-2023-36054
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 6.5
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

✗ LOW CVE-2018-5709
  https://scout.docker.com/v/CVE-2018-5709
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.5
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 1M 0L procps 2:3.3.17-6ubuntu2
pkg:deb/ubuntu/procps@2:3.3.17-6ubuntu2?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ MEDIUM CVE-2023-4016
  https://scout.docker.com/v/CVE-2023-4016
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 5.5
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 1M 0L net 0.11.0
pkg:golang/golang.org/x/net@0.11.0

✗ MEDIUM CVE-2023-3978
  https://scout.docker.com/v/CVE-2023-3978
  Affected range : <0.13.0
  Fixed version  : 0.13.0

Fixed by #18659.

0C 0H 1M 0L redis 4.6.0
pkg:pypi/redis@4.6.0

✗ MEDIUM CVE-2023-28859
  https://scout.docker.com/v/CVE-2023-28859
  Affected range : <5.0.0b1
  Fixed version  : 5.0.0b1

Fixed by DataDog/integrations-core#15585.

0C 0H 1M 0L rekor 1.1.1
pkg:golang/github.com/sigstore/rekor@1.1.1

✗ MEDIUM CVE-2023-33199 [Reachable Assertion]
  https://scout.docker.com/v/CVE-2023-33199
  Affected range : <1.2.0
  Fixed version  : 1.2.0
  CVSS Score     : 5.3
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Fixed by #18227.

0C 0H 1M 0L stdlib 1.20.6
pkg:golang/stdlib@1.20.6

✗ MEDIUM CVE-2023-29409
  https://scout.docker.com/v/CVE-2023-29409
  Affected range : >=1.20.0-0
                 : <1.20.7
  Fixed version  : 1.20.7

Fixed by DataDog/datadog-agent-buildimages#432.

0C 0H 1M 0L perl 5.34.0-3ubuntu1.2
pkg:deb/ubuntu/perl@5.34.0-3ubuntu1.2?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ MEDIUM CVE-2022-48522
  https://scout.docker.com/v/CVE-2022-48522
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 9.8
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 2L 2? cryptography 39.0.1
pkg:pypi/cryptography@39.0.1

✗ LOW GHSA-jm77-qphf-c4w8
  https://scout.docker.com/v/GHSA-jm77-qphf-c4w8
  Affected range : >=0.8
                 : <41.0.3
  Fixed version  : 41.0.3

✗ LOW GHSA-5cpq-8wj7-hf2v
  https://scout.docker.com/v/GHSA-5cpq-8wj7-hf2v
  Affected range : >=0.5
                 : <=40.0.2
  Fixed version  : 41.0.0

✗ UNSPECIFIED GMS-2023-1898 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2023-1898
  Affected range : >=0.8
                 : <41.0.3
  Fixed version  : 41.0.3

✗ UNSPECIFIED GMS-2023-1778 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2023-1778
  Affected range : >=0.5
                 : <=40.0.2
  Fixed version  : 41.0.0

Fixed by DataDog/integrations-core#15517.

0C 0H 0M 1L bash 5.1-6ubuntu1
pkg:deb/ubuntu/bash@5.1-6ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2022-3715
  https://scout.docker.com/v/CVE-2022-3715
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.8
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L openssl 3.0.2-0ubuntu1.10
pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.10?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2023-2975
  https://scout.docker.com/v/CVE-2023-2975
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 5.3
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L gnupg2 2.2.27-3ubuntu2.1
pkg:deb/ubuntu/gnupg2@2.2.27-3ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2022-3219
  https://scout.docker.com/v/CVE-2022-3219
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 3.3
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L coreutils 8.32-4.1ubuntu1
pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2016-2781
  https://scout.docker.com/v/CVE-2016-2781
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 6.5
  CVSS Vector    : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L pcre3 2:8.39-13ubuntu0.22.04.1
pkg:deb/ubuntu/pcre3@2:8.39-13ubuntu0.22.04.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2017-11164
  https://scout.docker.com/v/CVE-2017-11164
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.5
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L shadow 1:4.8.1-2ubuntu2.1
pkg:deb/ubuntu/shadow@1:4.8.1-2ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2023-29383
  https://scout.docker.com/v/CVE-2023-29383
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 3.3
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L libzstd 1.4.8+dfsg-3build1
pkg:deb/ubuntu/libzstd@1.4.8+dfsg-3build1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2022-4899
  https://scout.docker.com/v/CVE-2022-4899
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.5
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

0C 0H 0M 1L glibc 2.35-0ubuntu3.1
pkg:deb/ubuntu/glibc@2.35-0ubuntu3.1?os_distro=jammy&os_name=ubuntu&os_version=22.04

✗ LOW CVE-2016-20013
  https://scout.docker.com/v/CVE-2016-20013
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.5
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

As said in the report: « Fixed version : not fixed ».
We’ll pick the fix as soon as one will be released.

To conclude, I think that all the vulnerabilities reported here are:

  • either already fixed in our repositories and the fix will be in the next version of the agent: 7.48.0,
  • or there’s no fix available yet.

@L3n41c L3n41c closed this as completed Sep 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@L3n41c @sheffrong123