Image vulnerablities

[jin-ahn]

The latest (4.3.9) docker image of graylog has 6 critical and 73 high vulnerabilities related to apache, minidev, fasterxml, netty, etc. Can we get these patched?

[justingood]

4.3.9 is also running an older version of openssl (3.0.2) affected by the recent advisory

[coffee-squirrel]

4.3.9 is also running an older version of openssl (3.0.2) affected by the recent advisory

The 4.3.9 images have packages openssl and libssl3 @ 3.0.2-0ubuntu1.7, which has the fix.

• https://ubuntu.com/security/CVE-2022-3602
• https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.7
• https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_3.0.2-0ubuntu1.7/changelog

[jin-ahn]

@coffee-squirrel are there plans to patch the other vulnerabilites i have shown?

[coffee-squirrel]

@jin-ahn I'm not with Graylog, so I don't know.

It seems most/all of those are related to "Graylog the Java app" versus the container image, so you might get more traction by following the process mentioned at https://github.com/Graylog2/graylog2-server/blob/master/SECURITY.md.

[kroepke]

Hi!

Sorry for the delay:
The critical shiro-related issues don't apply to Graylog, but we will still look at updating the library.
The quartz one also doesn't apply, while it is shipped through another dependency, Graylog doesn't use the scheduling functions the vulnerability is about.

For Graylog 5.0 (in beta right now) we are updating Jackson and Netty, which should address those issues. Unfortunately, those are quite involved to backport, so we will most likely not bump the version in 4.3.
Furthermore, Graylog doesn't use snappy in any user-facing form, so the vulnerability also doesn't apply.

I'll leave this open until we are closing some internal issues that are pointing here. Thanks!

[jin-ahn]

Hi, just thought I'd give an update. I've checked the latest 5.0 rc2 image for vulnerabilities. and although there is an improvement the critical ones still remain. I understand that they don't necessarily apply to graylog, but if it's a low-hanging fruit, it would be great for our usage to have the libraries updated.

[jin-ahn]

Hi @kroepke, just to confirm - are their still plans to patch the remaining vulnerabilites? Or are we leaving them alone?

[jin-ahn]

Most recent update of 5.0.3 is vastly improved. Just 1 critical vulnerability remaining. Need to update json-smart to 2.4.1

[jin-ahn]

New vulnerablities have come out that impact graylog image. I know the shiro-core doesn't apply but there are others

[Jeffrey778]

Hi, I notice there are updates to fix the vulnerablities, can someone also build a image and push to hub? Thanks.

[bernd]

@Jeffrey778 The fixed will be part of the next stable release (5.0.7) that ships beginning of May.

UPDATE: We will only backport fixes for security issues that affect Graylog.

[jin-ahn]

Hi. 5.0.6 also has new vulnerablities related to org.quartz-scheduler and org.yaml:snakeyaml

https://nvd.nist.gov/vuln/detail/CVE-2019-13990

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

[jin-ahn]

5.0.7 has 6 critical and 11 high vulnerabilities

[jin-ahn]

5.1.0 has vulnerabilites that are high and critical