Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: CVE-2020-10663 (GHSA-jphg-qwrw-7w9g) json for Java is not affected, json for C is affected #1807

Open
sekveaja opened this issue Apr 16, 2024 · 0 comments
Open

False positive: CVE-2020-10663 (GHSA-jphg-qwrw-7w9g) json for Java is not affected, json for C is affected #1807

sekveaja opened this issue Apr 16, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

Get vulnerability GHSA-jphg-qwrw-7w9g (CVE-2020-10663) on a customed image that has logstash integrated.
And it is pointing to: "path": "/usr/share/logstash/vendor/bundle/jruby/2.5.0/specifications/json-1.8.6-java.gemspec",

What you expected to happen:

Among logtash 3pp there is Ruby.
And Ruby has json-1.8.6-java.gemspec bundle in it.

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-10663
cpe:2.3:a:json_project:json::::::ruby::*   Show Matching CPE(s) | Up to (including)2.2.0

As per NVD, it is vey broad on json but Logstash is using json-1.8.6-java which is not vulnerable.
The issue is in C code as stated by Jruby team.

Please find the below link for further details, where we can see there are two version of json 1.8.6 one based on C code and other based on Java. One based on Java is not using the vulnerable c code native library extension.

Based on Ruby extension in C Implementation which is vulnerable for version 1.8.6

json | RubyGems.org | your community gem host

Based on Ruby Java Code

json | RubyGems.org | your community gem host

How to reproduce it (as minimally and precisely as possible):

  1. docker pull docker.elastic.co/logstash/logstash:7.10.2

  2. syft docker.elastic.co/logstash/logstash:7.10.2
    json 1.8.6 gem --> This one is json.1.8.6-java
    json 2.2.0 gem
    json-c 0.11-4.el7_0 rpm

  3. grype docker.elastic.co/logstash/logstash:7.10.2

    json 1.8.6 2.3.0 gem GHSA-jphg-qwrw-7w9g High <-- CVE-2020-10663
    json 2.2.0 2.3.0 gem GHSA-jphg-qwrw-7w9g High
    json-c 0.11-4.el7_0 (won't fix) rpm CVE-2020-12762 Medium

  4. Information inside the container
    $ cat Gemfile.lock | grep json | grep java
    json (1.8.6-java)

    $ find ./vendor | grep json | grep java
    ./vendor/bundle/jruby/2.5.0/gems/msgpack-1.3.3-java/spec/cases.json
    ./vendor/bundle/jruby/2.5.0/specifications/json-1.8.6-java.gemspec
    ./vendor/jruby/lib/ruby/gems/shared/specifications/default/json-2.2.0-java.gemspec

Anything else we need to know?:

Statetment from RubyDev Team

Statement_from_Ruby_DevTeam

Environment:

  • Output of grype version: grype 0.74.7

  • OS (e.g: cat /etc/os-release or similar):

Container OS:

$ cat /etc/release
CentOS Linux release 7.9.2009 (Core)
Derived from Red Hat Enterprise Linux 7.9 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"

Host OS:

CentOS Stream release 8
NAME="CentOS Stream"
VERSION="8"
ID="centos"

=====
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sekveaja