go through list of Trivy security findings

[mmguero]

We have code scanning with Trivy enabled for the Malcolm docker images. Currently (in my development branch, at least) there are ~34 critical or high issues reported.

Of these, the vast majority of them are in the Logstash image, with a few in the OpenSearch, Dashboards and Arkime images.

Here are maybe some relevant links:

• elastic.co security issues
• Very high number of vulnerabilities found in logstash docker image 7.16.2 elastic/logstash#13560

We need to sort through these and determine what can be done with them. Perhaps open up individual issues or groups of issues as we start to triage them.

Where so many of them are in the Logstash image and elastic doesn't super seem to care (as you can see from the bug I linked there) perhaps we need to look at making our own Logstash image, or replacing the vulnerable libraries in the Logstash image ourselves.

[mmguero]

I sent this email to [email protected]:

When scanning the latest official Logstash Docker image with Trivy I am getting somewhere in the neighborhood of 30 "critical"- and "high"-level vulnerabilities reported for libraries used by Logstash in that image. These vulnerabilities range from everything to remote code execution to DoS.

This GitHub issue is an example where this has been reported for almost two years, without any movement on Elastic's part to address it. Any attempt to talk about it in the elastic.co forums simply refer the poster to this email address.

It's a bit surprising how little interest this seems to be to Elastic.co based on the feedback in GitHub and the forums. Could you shed some light on why that might be?

-SG

[mmguero]

Here's a list of Trivy results for docker.elastic.co/logstash/logstash:8.9.1, forwarded to Elastic.
trivy_logstash.txt
trivy_logstash.json.txt

[mmguero]

Response from Elastic:

Find below statements for the enquired CVEs. For the remaining CVEs we are further researching.

CVE-2022-3219
Status: future update
Artifacts: gnupg
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it in a future release when the vendor updates the package.

CVE-2023-36054
Artifacts: krb5
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it in a future release when the vendor updates the package.

CVE-2016-20013
Status: future update
Artifacts: libc6
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it when the vendor updates the package.

CVE-2017-11164
Status: future update
Artifacts:
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it when the vendor updates the package.

CVE-2023-4016
Status: future update
Artifacts: procps
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it in a future release when the vendor updates the package.

CVE-2013-4235
Status: future update
Artifacts: shadow-utils
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor.

CVE-2023-2976
Status: not_affected
Artifacts: Guava
Statement: Logstash doesn't use the problematic class com.google.common.io.FileBackedOutputStream from Google Guava dependency and it is not affected by this CVE. Nevertheless, guava library will be updated in future versions of Logstash.

CVE-2018-10237
Status: under_investigation, future update
Artifacts: guava
Statement: We are investigating how this issue affects Logstash. We will be updating Guava in a future version of Logstash.

CVE-2020-8908
Status: not_affected, future update
Artifacts: Guava
Statement: Logstash is not vulnerable to this issue. Logstash uses modern versions of Java which create the temporary files in a secure manner. We will upgrade Guava in a future version of Logstash

CVE-2021-29425
Status: not_affected, future update
Artifacts: commons-io
Statement: The commons-io dependency is used by log4j and not Logstash directly. No untrusted input is passed to the vulnerable function, it cannot be exploited by an attacker. We will update commons-io in a future version of Logstash

CVE-2018-1313
Status: future update, not_affected
Artifacts: derby
Statement: Logstash does not use the Derby Network Server. We will be updating Derby in a future version of Logstash.

CVE-2016-2781
Status: future update
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it when the vendor updates the package

CVE-2020-13956
Status: future update
Artifacts: httpclient
Statement: This issue poses very little risk to logstash due to how it uses httpclient. We will update this dependency in a future version of logstash

CVE-2021-28168
Status: future update
Artifacts: jersey-common
Statement: We consider this vulnerability to be very low severity. We will upgrade the version of Jersey shipped in Logstash in a future update

CVE-2021-37714
Status: not_affected
Artifacts: jsoup
Statement: In Logstash jsoup is not used to parse untrusted XML or HMTL, it is provided by maven-libs, used only to parse POM files during installation of Logstash plugins that use on jars not vendored in the gem.

CVE-2023-34453
Artifacts: snappy
Statement: This issue only affects the logstash-integration-kafka plugin and specifically the versions before 11.3.0. This issue has been resolved in version 11.3.0 which is shipped with Logstash version 8.10.0. Users of previous Logstash versions can update the plugin with bin/logstash-plugin update logstash-integration-kafka to a version later than 11.3.0

CVE-2023-34454
Status: fixed
Artifacts: snappy
Statement: This issue only affects the logstash-integration-kafka plugin and specifically the versions before 11.3.0. This issue has been resolved in version 11.3.0 which is shipped with Logstash version 8.10.0. Users of previous Logstash versions can update the plugin with bin/logstash-plugin update logstash-integration-kafka to a version later than 11.3.0

CVE-2023-34455
Status: fixed
Artifacts: logstash-integration-kafka
Statement: This issue only affects the logstash-integration-kafka plugin and specifically the versions before 11.3.0. This issue has been resolved in version 11.3.0 which is shipped with Logstash version 8.10.0. Users of previous Logstash versions can update the plugin with bin/logstash-plugin update logstash-integration-kafka to a version later than 11.3.0

CVE-2022-34169
Status: future update, not_affected
Artifacts: JDK
Statement: Our analysis shows that this flaw does not affect Logstash when the JDK is configured with default settings. The XSLT compiler is not enabled by default for the JDK. We will nevertheless update the bundled JDK to 17.0.4+ in Logstash 8.4.0 and to 11.0.16+ in Logstash 7.17.6

GHSA-pxvg-2qj5-37jq
Status: not_affected
Artifacts: libxml2
Statement: Logstash is not affected by this issue. Logstash uses libxml2 but doesn't use libxslt on JRuby, it uses apache xerces instead.

Regards,
Elastic Security

[mmguero]

Second email:

Find below statements for the remaining CVEs which were enquired.

CVE-2023-2953

Status: future update
Artifacts: openldap
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it when the vendor updates the package.

CVE-2023-26604

Status: future update
Artifacts: systemd
Statement: This package is provided by the operating system vendor. Our containers are built with the latest operating system updates at the time of build. We are unable to modify these packages outside of updates provided by the vendor. We will update it when the vendor updates the package. Red Hat has rated this vulnerability as having important severity.

CVE-2015-5262

Status: not_affected
Artifacts: httpclient
Statement: Logstash 8.9.1 already contains a fixed version of the dependency, 4.5.13. The finding is reported against the httpclient version that is included and shaded into the wagon-http jar, used by maven to download artifacts. Logstash does not use this httpclient anywhere and as such is not affected by this issue.

CVE-2021-26291

Status: not_affected
Artifacts: ruby-maven
Statement: The maven package shipped with the JRuby bundled with Logstash is never executed at runtime thus not affected by this issue. Nevertheless, this will be upgraded in a future release.

CVE-2023-33201

Status: not_affected
Artifacts: bouncycastle
Statement: Bouncycastle is used by the JRuby dependency for OpenSSL. However, Logstash does not use the LDAP CertStore through the X509LDAPCertStoreSpi class, neither in core nor its default set of plugins. To avoid further false positives the dependency is upgraded in Logstash 8.10 to 1.74. An unused copy of the older bouncycastle version is still present in the artifacts but will be removed soon.

CVE-2015-6748

Status: not_affected
Artifacts: ruby-maven
Statement: Jsoup is transitive dependency of Ruby-maven, which is a wrapper to use a Ruby DSL for Maven project definition. This comes bundled with JRuby and Logstash doesn't use it at runtime.

CVE-2022-36033

Status: not_affected
Artifacts: ruby-maven
Statement: Jsoup is transitive dependency of Ruby-maven, which is a wrapper to use a Ruby DSL for Maven project definition. This comes bundled with JRuby and Logstash doesn't use it at runtime.

CVE-2022-1471

Status: not_affected
Artifacts: snakeyaml
Statement: SnakeYAML is not used to load untrusted data from an external source. To exploit the vulnerability an attacker would need write access to the Logstash directory.

CVE-2023-40175

Status: not_affected
Artifacts: puma
Statement: The puma server is used only for the Logstash HTTP API, that is a single server architecture. Considering how HTTP smuggling attacks rely on different interpretations of headers in two HTTP servers (e.g. frontend/proxy vs backend), this CVE is unlikely to affect Logstash. That said, Logstash will upgrade to a non vulnerable version of Puma in the next minor release, 8.10.0

Regards,
Elastic Security

[mmguero]

I've gone through the Trivy security findings as of today and marked some of them as "doesn't apply", fixed some others, and some we'll need to wait for library versions in logstash, opensearch, dashboards, etc.

We've gone from 45 or so down to 19 currently open. A few of those are HIGH but looking at how they are used in the various components I don't think any of them are HIGH with regards to how Malcolm functions.

I'm satisfied with this for now, and will close this and open another issue again to do another check in a month or so.