[Bug, Vulnerability] CVE-2023-48795 #11936
Comments
VladislavDubrovenski
added
the
bug
|
We are not using Go and Python in OAP. I am not sure what you mean. This is a Java project. |
|
@wu-sheng I understand that, I opened it for OAP. Also, it occurs to me that the image you use for deployment on k8s for UI has the vulnerability. Where should I report this? This vulnerability was present for almost 2 months and my only other remediation is to disable the skywalking which I really don't want to do as I have written custom scripts for it as well.. |
|
OK, if you mean images, you need to check whether it is from swctl or something? Because OAP and UI themselves are only Java based. You could check the docker file, https://github.com/apache/skywalking/blob/master/docker/oap/Dockerfile About the CLI, it is from https://github.com/apache/skywalking-cli. |
wu-sheng
added
docker
|
Or is this a Linux level CVE? You could repackage the whole thing and get the latest |
|
@wu-sheng I appreciate you reopening this issue. Constantly repackaging every open-source solution would make it a nightmare from maintainability perspective. It seems that many open-source solutions suffer from this vulnerability(even though the library in question was not in use in many, but scans still flag it). I have several examples where it was already fixed: Jaeger: jaegertracing/jaeger#5016 I understand that this causes certain inconveniences, and I apologize for that, but I had been required to address this particular vulnerability in the past month. |
|
@kezhenxu94 Could you take a look? I think this may be either from base image or a kind of CLI side issues. |
|
CLI fixed at apache/skywalking-cli#199 |
|
If the UI also has the CVE, then swctl might not be the only source of the CVE, as UI doesn't have swctl in it |
|
Yes, I noticed that. I am not sure why UI could have this, maybe it is from default base Linux image? CLI has the version impact but maybe not the only source. |
|
I see |
|
AFAIK, 11-jre image should be safe enough. https://hub.docker.com/layers/library/eclipse-temurin/11-jre/images/sha256-2a0e7b00897263d43b65f33962ca1299e6ce91a16c3dd09fbceff114d4c8c34a?context=explore No high and critical issues. Our own side CLI has been removed from the next release. We should be good now. |
|
Thank you for the quick remediation! |
Search before asking
Apache SkyWalking Component
OAP server (apache/skywalking)
What happened
Good day,
The scanner flags CVE-2023-48795 in OAP and UI that I am required to fix to continue using this great project..
The skywalking is deployed using a helm chart.
More information:
OAP:
installedVersion: v0.0.0-20220411220226-7b82a4e95df4
lastModifiedDate: "2024-01-29T09:15:42Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-48795
publishedDate: "2023-12-18T16:15:10Z"
resource: golang.org/x/crypto
score: 5.9
severity: MEDIUM
target: ""
title: 'ssh: Prefix truncation attack on Binary Packet Protocol (BPP)'
vulnerabilityID: CVE-2023-48795
UI:
installedVersion: 0.9.6-2ubuntu0.22.04.1
lastModifiedDate: "2024-01-29T09:15:42Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-48795
publishedDate: "2023-12-18T16:15:10Z"
resource: libssh-4
score: 5.9
severity: MEDIUM
target: ""
title: 'ssh: Prefix truncation attack on Binary Packet Protocol (BPP)'
vulnerabilityID: CVE-2023-4879
What you expected to happen
No vulnerability found
How to reproduce
Install skywalking via helm chart
Anything else
No response
Are you willing to submit a pull request to fix on your own?
Code of Conduct
The text was updated successfully, but these errors were encountered: