CVE-2023-38545 and CVE-2023-38545 vulnerabilities

[egorchabala]

Multiple security scanning tools reported that aws-for-fluentbit docker image might be vulnerable to the following vulnerability:

• CVE-2023-38545
• CVE-2023-38546

Is there a schedule for a new release with a patched base image?

[PettitWesley]

I got this:

147dda285fd4:fluent-bit wppttt$ trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:2.31.12.20231011
2023-10-18T17:56:29.579-0700	INFO	Vulnerability scanning is enabled
2023-10-18T17:56:29.579-0700	INFO	Secret scanning is enabled
2023-10-18T17:56:29.579-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-18T17:56:29.579-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-10-18T17:57:49.052-0700	INFO	Detected OS: amazon
2023-10-18T17:57:49.052-0700	INFO	Detecting Amazon Linux vulnerabilities...
2023-10-18T17:57:49.065-0700	INFO	Number of language-specific files: 0

public.ecr.aws/aws-observability/aws-for-fluent-bit:2.31.12.20231011 (amazon 2 (Karoo))

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version  │   Fixed Version    │                            Title                             │
├────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ libnghttp2 │ CVE-2023-44487 │ HIGH     │ 1.41.0-1.amzn2.0.3 │ 1.41.0-1.amzn2.0.4 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│            │                │          │                    │                    │ attack (Rapid...                                             │
│            │                │          │                    │                    │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└────────────┴────────────────┴──────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────────────┘

[PettitWesley]

The above CVE does not impact AWS Fluent Bit use cases, as it is not used as a web server.

CVE-2023-38545
CVE-2023-38546

These are marked as important and low severity. We typically only do re-builds for high/critical severity.

[dfer3375]

@PettitWesley Is this solved with the 2.32.0 version?

[jamespfluger-ava]

As patching becomes more important every day, why not do re-builds when flaws are found? I don't want to speak too confidently because I don't know how much work rebuilding the image is, but these flaws will still show up on security scorecards, even if they can't be exploited.

[jamespfluger-ava]

Here's the info for latest and stable.

Note the latest has zero vulns listed and stable has 81. A fresh stable release would be hugely beneficial.

latest

james:~$ trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:latest
2024-01-30T18:23:38.725-0800    INFO    Vulnerability scanning is enabled
2024-01-30T18:23:38.725-0800    INFO    Secret scanning is enabled
2024-01-30T18:23:38.725-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-30T18:23:38.725-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-30T18:23:39.630-0800    INFO    Detected OS: amazon
2024-01-30T18:23:39.630-0800    INFO    Detecting Amazon Linux vulnerabilities...
2024-01-30T18:23:39.642-0800    INFO    Number of language-specific files: 0

public.ecr.aws/aws-observability/aws-for-fluent-bit:latest (amazon 2 (Karoo))

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

stable

james:~$ trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:stable
2024-01-30T18:25:00.180-0800    INFO    Vulnerability scanning is enabled
2024-01-30T18:25:00.180-0800    INFO    Secret scanning is enabled
2024-01-30T18:25:00.180-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-30T18:25:00.180-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-30T18:25:00.945-0800    INFO    Detected OS: amazon
2024-01-30T18:25:00.945-0800    INFO    Detecting Amazon Linux vulnerabilities...
2024-01-30T18:25:00.954-0800    INFO    Number of language-specific files: 0

public.ecr.aws/aws-observability/aws-for-fluent-bit:stable (amazon 2 (Karoo))

Total: 81 (UNKNOWN: 0, LOW: 19, MEDIUM: 58, HIGH: 4, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬──────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │    Installed Version     │      Fixed Version       │                            Title                             │
├────────────────────┼────────────────┼──────────┼────────┼──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ curl               │ CVE-2023-46218 │ MEDIUM   │ fixed  │ 8.3.0-1.amzn2.0.4        │ 8.3.0-1.amzn2.0.5        │ curl: information disclosure by exploiting a mixed case flaw │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-46218                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-46219 │          │        │                          │                          │ curl: excessively long file name may lead to unknown HSTS    │
│                    │                │          │        │                          │                          │ status                                                       │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-46219                   │
├────────────────────┼────────────────┤          │        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ dbus               │ CVE-2023-34969 │          │        │ 1:1.10.24-7.amzn2.0.3    │ 1:1.10.24-7.amzn2.0.4    │ dbus: dbus-daemon: assertion failure when a monitor is       │
│                    │                │          │        │                          │                          │ active and a message...                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-34969                   │
├────────────────────┤                │          │        │                          │                          │                                                              │
│ dbus-libs          │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gawk               │ CVE-2023-4156  │ LOW      │        │ 4.0.2-4.amzn2.1.2        │ 4.0.2-4.amzn2.1.3        │ gawk: heap out of bound read in builtin.c                    │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-4156                    │
├────────────────────┼────────────────┤          │        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gmp                │ CVE-2021-43618 │          │        │ 1:6.0.0-15.amzn2.0.2     │ 1:6.0.0-15.amzn2.0.3     │ gmp: Integer overflow and resultant buffer overflow via      │
│                    │                │          │        │                          │                          │ crafted input                                                │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-43618                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl            │ CVE-2023-46218 │ MEDIUM   │        │ 8.3.0-1.amzn2.0.4        │ 8.3.0-1.amzn2.0.5        │ curl: information disclosure by exploiting a mixed case flaw │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-46218                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-46219 │          │        │                          │                          │ curl: excessively long file name may lead to unknown HSTS    │
│                    │                │          │        │                          │                          │ status                                                       │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-46219                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libnghttp2         │ CVE-2023-44487 │ HIGH     │        │ 1.41.0-1.amzn2.0.3       │ 1.41.0-1.amzn2.0.4       │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                    │                │          │        │                          │                          │ to a DDoS attack...                                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libsepol           │ CVE-2021-36084 │ MEDIUM   │        │ 2.5-8.1.amzn2.0.2        │ 2.5-10.amzn2.0.1         │ libsepol: use-after-free in __cil_verify_classperms()        │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36084                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2021-36085 │          │        │                          │                          │ libsepol: use-after-free in __cil_verify_classperms()        │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36085                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2021-36086 │          │        │                          │                          │ use-after-free in cil_reset_classpermission()                │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36086                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2021-36087 │          │        │                          │                          │ libsepol: heap-based buffer overflow in ebitmap_match_any()  │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36087                   │
├────────────────────┼────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│ libsepol-devel     │ CVE-2021-36084 │          │        │                          │                          │ libsepol: use-after-free in __cil_verify_classperms()        │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36084                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2021-36085 │          │        │                          │                          │ libsepol: use-after-free in __cil_verify_classperms()        │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36085                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2021-36086 │          │        │                          │                          │ use-after-free in cil_reset_classpermission()                │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36086                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2021-36087 │          │        │                          │                          │ libsepol: heap-based buffer overflow in ebitmap_match_any()  │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-36087                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2            │ CVE-2023-45322 │ HIGH     │        │ 2.9.1-6.amzn2.5.12       │ 2.9.1-6.amzn2.5.13       │ libxml2: use-after-free in xmlUnlinkNode() in tree.c         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-45322                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses            │ CVE-2019-17594 │ MEDIUM   │        │ 6.0-8.20170212.amzn2.1.5 │ 6.0-8.20170212.amzn2.1.6 │ heap-based buffer overflow in the _nc_find_entry function in │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c                                            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2019-17595 │          │        │                          │                          │ heap-based buffer overflow in the fmt_entry function in      │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c                                            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19185 │          │        │                          │                          │ ncurses: Heap buffer overflow in one_one_mapping function in │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1373                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19185                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19186 │          │        │                          │                          │ ncurses: Buffer overflow in _nc_find_entry function in       │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c:66                                         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19186                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19187 │          │        │                          │                          │ ncurses: Heap buffer overflow in fmt_entry function in       │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1100                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19187                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19188 │          │        │                          │                          │ ncurses: Stack buffer overflow in fmt_entry function in      │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1116                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19188                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19189 │          │        │                          │                          │ ncurses: Heap buffer overflow in postprocess_terminfo        │
│                    │                │          │        │                          │                          │ function in tinfo/parse_entry.c:997                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19189                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19190 │          │        │                          │                          │ ncurses: Heap buffer overflow in _nc_find_entry in           │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c:70                                         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19190                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-50495 │          │        │                          │ 6.0-8.20170212.amzn2.1.7 │ ncurses: segmentation fault via _nc_wrap_entry()             │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-50495                   │
├────────────────────┼────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-base       │ CVE-2019-17594 │          │        │                          │ 6.0-8.20170212.amzn2.1.6 │ heap-based buffer overflow in the _nc_find_entry function in │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c                                            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2019-17595 │          │        │                          │                          │ heap-based buffer overflow in the fmt_entry function in      │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c                                            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19185 │          │        │                          │                          │ ncurses: Heap buffer overflow in one_one_mapping function in │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1373                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19185                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19186 │          │        │                          │                          │ ncurses: Buffer overflow in _nc_find_entry function in       │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c:66                                         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19186                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19187 │          │        │                          │                          │ ncurses: Heap buffer overflow in fmt_entry function in       │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1100                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19187                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19188 │          │        │                          │                          │ ncurses: Stack buffer overflow in fmt_entry function in      │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1116                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19188                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19189 │          │        │                          │                          │ ncurses: Heap buffer overflow in postprocess_terminfo        │
│                    │                │          │        │                          │                          │ function in tinfo/parse_entry.c:997                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19189                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19190 │          │        │                          │                          │ ncurses: Heap buffer overflow in _nc_find_entry in           │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c:70                                         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19190                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-50495 │          │        │                          │ 6.0-8.20170212.amzn2.1.7 │ ncurses: segmentation fault via _nc_wrap_entry()             │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-50495                   │
├────────────────────┼────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-libs       │ CVE-2019-17594 │          │        │                          │ 6.0-8.20170212.amzn2.1.6 │ heap-based buffer overflow in the _nc_find_entry function in │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c                                            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2019-17595 │          │        │                          │                          │ heap-based buffer overflow in the fmt_entry function in      │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c                                            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19185 │          │        │                          │                          │ ncurses: Heap buffer overflow in one_one_mapping function in │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1373                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19185                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19186 │          │        │                          │                          │ ncurses: Buffer overflow in _nc_find_entry function in       │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c:66                                         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19186                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19187 │          │        │                          │                          │ ncurses: Heap buffer overflow in fmt_entry function in       │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1100                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19187                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19188 │          │        │                          │                          │ ncurses: Stack buffer overflow in fmt_entry function in      │
│                    │                │          │        │                          │                          │ progs/dump_entry.c:1116                                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19188                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19189 │          │        │                          │                          │ ncurses: Heap buffer overflow in postprocess_terminfo        │
│                    │                │          │        │                          │                          │ function in tinfo/parse_entry.c:997                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19189                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2020-19190 │          │        │                          │                          │ ncurses: Heap buffer overflow in _nc_find_entry in           │
│                    │                │          │        │                          │                          │ tinfo/comp_hash.c:70                                         │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2020-19190                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-50495 │          │        │                          │ 6.0-8.20170212.amzn2.1.7 │ ncurses: segmentation fault via _nc_wrap_entry()             │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-50495                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nmap-ncat          │ CVE-2018-15173 │ LOW      │        │ 2:6.40-13.amzn2          │ 2:6.40-19.amzn2.0.1      │ nmap: Stack exhausation when -sV option is used allows for   │
│                    │                │          │        │                          │                          │ DoS                                                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2018-15173                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nss-softokn        │ CVE-2023-5388  │ MEDIUM   │        │ 3.79.0-4.amzn2           │ 3.90.0-6.amzn2.0.1       │ nss: timing attack against RSA decryption                    │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5388                    │
├────────────────────┤                │          │        │                          │                          │                                                              │
│ nss-softokn-freebl │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
├────────────────────┼────────────────┤          │        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl-libs       │ CVE-2023-5678  │          │        │ 1:1.0.2k-24.amzn2.0.9    │ 1:1.0.2k-24.amzn2.0.11   │ openssl: Generating excessively long X9.42 DH keys or        │
│                    │                │          │        │                          │                          │ checking excessively long X9.42...                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5678                    │
├────────────────────┤                │          │        ├──────────────────────────┼──────────────────────────┤                                                              │
│ openssl11-devel    │                │          │        │ 1:1.1.1g-12.amzn2.0.18   │ 1:1.1.1g-12.amzn2.0.19   │                                                              │
│                    │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
├────────────────────┤                │          │        │                          │                          │                                                              │
│ openssl11-libs     │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ python             │ CVE-2022-48565 │ HIGH     │        │ 2.7.18-1.amzn2.0.6       │ 2.7.18-1.amzn2.0.7       │ python: XML External Entity in XML processing plistlib       │
│                    │                │          │        │                          │                          │ module                                                       │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2022-48565                   │
│                    ├────────────────┼──────────┤        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2022-48566 │ MEDIUM   │        │                          │ 2.7.18-1.amzn2.0.8       │ python: constant-time-defeating optimisations issue in the   │
│                    │                │          │        │                          │                          │ compare_digest function in Lib/hmac.p                        │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2022-48566                   │
├────────────────────┼────────────────┼──────────┤        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ python-libs        │ CVE-2022-48565 │ HIGH     │        │                          │ 2.7.18-1.amzn2.0.7       │ python: XML External Entity in XML processing plistlib       │
│                    │                │          │        │                          │                          │ module                                                       │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2022-48565                   │
│                    ├────────────────┼──────────┤        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2022-48566 │ MEDIUM   │        │                          │ 2.7.18-1.amzn2.0.8       │ python: constant-time-defeating optimisations issue in the   │
│                    │                │          │        │                          │                          │ compare_digest function in Lib/hmac.p                        │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2022-48566                   │
├────────────────────┼────────────────┤          │        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vim-data           │ CVE-2023-46246 │          │        │ 2:9.0.1882-1.amzn2.0.1   │ 2:9.0.2081-1.amzn2.0.1   │ vim: Integer Overflow in :history command                    │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-46246                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-5344  │          │        │                          │ 2:9.0.1882-1.amzn2.0.2   │ vim: Heap-based Buffer Overflow in trunc_string()            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5344                    │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-5441  │          │        │                          │ 2:9.0.1882-1.amzn2.0.3   │ NULL pointer dereference in screen_line() in src/screen.c    │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5441                    │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-5535  │          │        │                          │                          │ vim: use after free                                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5535                    │
│                    ├────────────────┼──────────┤        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48231 │ LOW      │        │                          │ 2:9.0.2120-1.amzn2.0.1   │ vim: use after free in win_close()                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48231                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48232 │          │        │                          │                          │ vim: floating point exception in adjust_plines_for_skipcol() │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48232                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48233 │          │        │                          │                          │ vim: overflow with count for :s command                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48233                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48234 │          │        │                          │                          │ vim: overflow in nv_z_get_count                              │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48234                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48235 │          │        │                          │                          │ vim: overflow in ex address parsing                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48235                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48236 │          │        │                          │                          │ vim: overflow in get_number                                  │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48236                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48237 │          │        │                          │                          │ vim: buffer overflow in shift_line                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48237                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48706 │          │        │                          │ 2:9.0.2153-1.amzn2.0.1   │ vim: use-after-free in ex_substitute in Vim                  │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48706                   │
├────────────────────┼────────────────┼──────────┤        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vim-minimal        │ CVE-2023-46246 │ MEDIUM   │        │                          │ 2:9.0.2081-1.amzn2.0.1   │ vim: Integer Overflow in :history command                    │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-46246                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-5344  │          │        │                          │ 2:9.0.1882-1.amzn2.0.2   │ vim: Heap-based Buffer Overflow in trunc_string()            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5344                    │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-5441  │          │        │                          │ 2:9.0.1882-1.amzn2.0.3   │ NULL pointer dereference in screen_line() in src/screen.c    │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5441                    │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-5535  │          │        │                          │                          │ vim: use after free                                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-5535                    │
│                    ├────────────────┼──────────┤        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48231 │ LOW      │        │                          │ 2:9.0.2120-1.amzn2.0.1   │ vim: use after free in win_close()                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48231                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48232 │          │        │                          │                          │ vim: floating point exception in adjust_plines_for_skipcol() │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48232                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48233 │          │        │                          │                          │ vim: overflow with count for :s command                      │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48233                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48234 │          │        │                          │                          │ vim: overflow in nv_z_get_count                              │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48234                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48235 │          │        │                          │                          │ vim: overflow in ex address parsing                          │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48235                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48236 │          │        │                          │                          │ vim: overflow in get_number                                  │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48236                   │
│                    ├────────────────┤          │        │                          │                          ├──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48237 │          │        │                          │                          │ vim: buffer overflow in shift_line                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48237                   │
│                    ├────────────────┤          │        │                          ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                    │ CVE-2023-48706 │          │        │                          │ 2:9.0.2153-1.amzn2.0.1   │ vim: use-after-free in ex_substitute in Vim                  │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-48706                   │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ zlib               │ CVE-2023-45853 │ MEDIUM   │        │ 1.2.7-19.amzn2.0.2       │ 1.2.7-19.amzn2.0.3       │ zlib: integer overflow and resultant heap-based buffer       │
│                    │                │          │        │                          │                          │ overflow in zipOpenNewFileInZip4_6                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-45853                   │
├────────────────────┤                │          │        │                          │                          │                                                              │
│ zlib-devel         │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
│                    │                │          │        │                          │                          │                                                              │
└────────────────────┴────────────────┴──────────┴────────┴──────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────┘

[surola]

Hi When are you planning to release a new version with these fixes?

[jamespfluger-ava]

It's worth mentioning that both latest and stable have the same two CVEs. See the output below:

james~:trivy image public.ecr.aws/aws-observability/aws-for-fluent-bit:stable
2024-02-16T16:22:04.698-0800    INFO    Vulnerability scanning is enabled
2024-02-16T16:22:04.698-0800    INFO    Secret scanning is enabled
2024-02-16T16:22:04.698-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-16T16:22:04.698-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-16T16:22:05.391-0800    INFO    Detected OS: amazon
2024-02-16T16:22:05.391-0800    INFO    Detecting Amazon Linux vulnerabilities...
2024-02-16T16:22:05.403-0800    INFO    Number of language-specific files: 0

public.ecr.aws/aws-observability/aws-for-fluent-bit:stable (amazon 2 (Karoo))

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version  │   Fixed Version    │                        Title                         │
├─────────────┼────────────────┼──────────┼────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────┤
│ nss         │ CVE-2023-7104  │ HIGH     │ fixed  │ 3.90.0-2.amzn2.0.1 │ 3.90.0-2.amzn2.0.2 │ sqlite: heap-buffer-overflow at sessionfuzz          │
│             │                │          │        │                    │                    │ https://avd.aquasec.com/nvd/cve-2023-7104            │
├─────────────┤                │          │        │                    │                    │                                                      │
│ nss-sysinit │                │          │        │                    │                    │                                                      │
│             │                │          │        │                    │                    │                                                      │
├─────────────┤                │          │        │                    │                    │                                                      │
│ nss-tools   │                │          │        │                    │                    │                                                      │
│             │                │          │        │                    │                    │                                                      │
├─────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────┼──────────────────────────────────────────────────────┤
│ pam         │ CVE-2024-22365 │ LOW      │        │ 1.1.8-23.amzn2.0.1 │ 1.1.8-23.amzn2.0.2 │ pam: allowing unpriledged user to block another user │
│             │                │          │        │                    │                    │ namespace                                            │
│             │                │          │        │                    │                    │ https://avd.aquasec.com/nvd/cve-2024-22365           │
└─────────────┴────────────────┴──────────┴────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────┘

[PettitWesley]

@jamespfluger-ava I'm working on trying to setup an automatic workflow to re-build and re-release the latest image for linux, as for example here: https://github.com/aws/aws-for-fluent-bit/releases/tag/v2.32.0.20240304

1. We will only automatically rebuild the latest image
2. We are not sure what frequency to rebuild- thoughts? While it'd be nice to have it re-build every time there is a scan finding, we might just go with some time interval to keep it simple.
3. The re-built images are just the old image, with the same code compiled on an updated amazon linux base. We will therefore not perform our typical testing on re-built images: https://github.com/aws/aws-for-fluent-bit?tab=readme-ov-file#aws-distro-for-fluent-bit-release-testing

[jamespfluger-ava]

@PettitWesley I'd love an automatic workflow. For now I've switched to using Chainguard's image for aws-for-fluent-bit as that had zero CVEs at the time.

Your points

1 - Automating rebuilding the latest image is a good idea
2a - I agree that the ideal scenario is when a new finding is found. You could possibly use a scanning tool (such as Trivy or Docker Scout or one of many others) to see if there are any vulnerabilities, and if there are take a few steps: rebuild the image, see if the vulns are still there, and if so do NOT push the image and create a GitHub issue with a security label.
2b - ALTERNATIVELY - simply do a rebuild once daily. I would personally tag this as latest and not necessarily stable, as stable should be pushed once a latest image is proven to be stable, but that's out of my area of expertise
3 - Not re-testing the code makes sense, unless some of the code relies upon a package and a package upgrade breaks something

My thoughts

Ideally, rebuild the image if there's a new vuln found and rebuild the image (and if that doesn't fix it auto-create a new GitHub issue)
Otherwise rebuilding the image daily would be ideal.

Remember this:

Software is just like milk. It goes bad over time. Smell your software as often as you can fix the smells as soon as they appear.

[eigan]

Sorry, this is not relevant to the reported CVE, but its about rebuilding.

aikido.dev reports CVE-2023-39323, CVE-2023-39325, CVE-2023-45285 and more because go1.20.7 is used. Would it be possible to build with a newer go version?

They use syft which gives them the following SBOM.

syft public.ecr.aws/aws-observability/aws-for-fluent-bit:init-latest

....
stdlib                                                 go1.20.7                            go-module
....

[PettitWesley]

@eigan unfortunately, we had to lock go to 1.20.7 last year because of this issue which entirely stops Fluent Bit from Go plugins from working:

• cmd/cgo: "fatal: morestack on g0" when interacting with PHP Fibers golang/go#62130 (comment)
• lock to go 1.20.7 #723

I haven't checked on this for a little while though and I will see if a newer go version resolves the issue. If not, I'll open a tracking issue for this.

[PettitWesley]

Also the trivy image scan in our pipeline is a good idea @jamespfluger-ava. Thanks. May be I should make the pipeline pull the latest re-build, scan it, if there are findings, then build a new image and release it. May be also check if the number of findings on the new re-build is lesser than the older one.

[jamespfluger-ava]

@PettitWesley regarding the number of findings - that's a good idea, but I would go as far as to say to never release an image with critical or high findings. Of course low + mediums can always be strung together to perform an attack, but it's less likely than a high/critical.

Appreciate y'all taken this seriously!

[PettitWesley]

@jamespfluger-ava @eigan I am not seeing any findings for our most recent rebuild from earlier this month:

$ trivy image   --severity HIGH,CRITICAL --format json public.ecr.aws/aws-observability/aws-for-fluent-bit:latest  -q | jq '.Results[0].Vulnerabilities | length'
0

[PettitWesley]

Also it seems go1.22 works with Fluent Bit go plugins, so we will upgrade to that in our next re-build release.