You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Get vulnerability GHSA-jphg-qwrw-7w9g (CVE-2020-10663) on a customed image that has logstash integrated.
And it is pointing to: "path": "/usr/share/logstash/vendor/bundle/jruby/2.5.0/specifications/json-1.8.6-java.gemspec",
What you expected to happen:
Among logtash 3pp there is Ruby.
And Ruby has json-1.8.6-java.gemspec bundle in it.
As per NVD, it is vey broad on json but Logstash is using json-1.8.6-java which is not vulnerable.
The issue is in C code as stated by Jruby team.
Please find the below link for further details, where we can see there are two version of json 1.8.6 one based on C code and other based on Java. One based on Java is not using the vulnerable c code native library extension.
Based on Ruby extension in C Implementation which is vulnerable for version 1.8.6
Get vulnerability GHSA-jphg-qwrw-7w9g (CVE-2020-10663) on a customed image that has logstash integrated.
And it is pointing to: "path": "/usr/share/logstash/vendor/bundle/jruby/2.5.0/specifications/json-1.8.6-java.gemspec",
What you expected to happen:
Among logtash 3pp there is Ruby.
And Ruby has json-1.8.6-java.gemspec bundle in it.
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-10663
cpe:2.3:a:json_project:json::::::ruby::* Show Matching CPE(s) | Up to (including)2.2.0
As per NVD, it is vey broad on json but Logstash is using json-1.8.6-java which is not vulnerable.
The issue is in C code as stated by Jruby team.
Please find the below link for further details, where we can see there are two version of json 1.8.6 one based on C code and other based on Java. One based on Java is not using the vulnerable c code native library extension.
Based on Ruby extension in C Implementation which is vulnerable for version 1.8.6
json | RubyGems.org | your community gem host
Based on Ruby Java Code
json | RubyGems.org | your community gem host
How to reproduce it (as minimally and precisely as possible):
docker pull docker.elastic.co/logstash/logstash:7.10.2
syft docker.elastic.co/logstash/logstash:7.10.2
json 1.8.6 gem --> This one is json.1.8.6-java
json 2.2.0 gem
json-c 0.11-4.el7_0 rpm
grype docker.elastic.co/logstash/logstash:7.10.2
json 1.8.6 2.3.0 gem GHSA-jphg-qwrw-7w9g High <-- CVE-2020-10663
json 2.2.0 2.3.0 gem GHSA-jphg-qwrw-7w9g High
json-c 0.11-4.el7_0 (won't fix) rpm CVE-2020-12762 Medium
Information inside the container
$ cat Gemfile.lock | grep json | grep java
json (1.8.6-java)
$ find ./vendor | grep json | grep java
./vendor/bundle/jruby/2.5.0/gems/msgpack-1.3.3-java/spec/cases.json
./vendor/bundle/jruby/2.5.0/specifications/json-1.8.6-java.gemspec
./vendor/jruby/lib/ruby/gems/shared/specifications/default/json-2.2.0-java.gemspec
Anything else we need to know?:
Statetment from RubyDev Team
Environment:
Output of
grype version
: grype 0.74.7OS (e.g:
cat /etc/os-release
or similar):Container OS:
$ cat /etc/release
CentOS Linux release 7.9.2009 (Core)
Derived from Red Hat Enterprise Linux 7.9 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"
Host OS:
CentOS Stream release 8
NAME="CentOS Stream"
VERSION="8"
ID="centos"
=====
The text was updated successfully, but these errors were encountered: