Analyze urllib3 vulnerabilities and upgrade urllib3 version.

[EduLeon12]

During the week 44: Framework vulnerability scan it was found that the urllib3 dependency contains 2 vulnerabilities and are fixed in 2 different versions as explained in the scan conclusion and seen in the following analysis.

{
            "package_name": "urllib3",
            "package_version": "1.26.5",
            "package_affected_version": "<1.26.17",
            "vuln_description": "Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\r\nhttps://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f",
            "safety_id": "61601"
        },
        {
            "package_name": "urllib3",
            "package_version": "1.26.5",
            "package_affected_version": "<1.26.18",
            "vuln_description": "Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET.\r\nhttps://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4",
            "safety_id": "61893"
        }

This issue should tend to analyze compatibility and target a version for the upgrade.

[javiersanchz]

Update

• Currently, the version of urllib3 being used is 1.26.5, which doesn't cover any of the vulnerabilities mentioned in the issue

wazuh/framework/requirements.txt

Line 84 in 24e541b

urllib3==1.26.5

• This is resolved in 1.28.18 and the current version doesn't include any of these changes as can be seen here:
  urllib3/urllib3@1.26.5...1.26.18

• The work will begin to add version 1.26.18 for 4.8.1 and fix both vulnerabilities

[javiersanchz]

UPDATE

• I kept working on the AMD process with the pre-compiled and pre-installed, I was looking at some parts of the phases in call with Facu to make it clearer, tomorrow I'll finish it.

[javiersanchz]

UPDATE

• Finished with AMD pre-compiled and pre-installed and checked to install wazuh with them for proper operation.
• I started with the aarch architecture

[javiersanchz]

UPDATE

Precompiled and preinstalled for aarch64 created and their functionality checked:

Precompiled:

Starting Wazuh...
server
Starting Wazuh v4.8.1...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.


[root@f90d14fda4f4 wazuh]# uname -m
aarch64

Preinstalled:

Starting Wazuh...
server
Starting Wazuh v4.8.1...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.

[root@b9a2b8999c10 wazuh]# uname -m
aarch64