datadog-agent
datadog-agent copied to clipboard
DataDog
[SECURITY] Multiple Critical and High CVEs in DD agent 7.50.3
Our security team notified us about multiple HIGH and CRITICAL CVEs in datadog/agent:7.50.3
When we can expect this vulnerabilities to be fixed? Thank you!
trivy image datadog/agent:7.50.3 --scanners vuln --severity HIGH,CRITICAL
2024-02-05T10:18:08.219+0100 INFO Vulnerability scanning is enabled 2024-02-05T10:18:08.249+0100 INFO Detected OS: ubuntu 2024-02-05T10:18:08.249+0100 WARN This OS version is not on the EOL list: ubuntu 23.10 2024-02-05T10:18:08.249+0100 INFO Detecting Ubuntu vulnerabilities... 2024-02-05T10:18:08.250+0100 INFO Number of language-specific files: 6 2024-02-05T10:18:08.250+0100 INFO Detecting gobinary vulnerabilities... 2024-02-05T10:18:08.260+0100 INFO Detecting python-pkg vulnerabilities...
datadog/agent:7.50.3 (ubuntu 23.10)
Total: 0 (HIGH: 0, CRITICAL: 0)
opt/datadog-agent/bin/agent/agent (gobinary)
Total: 7 (HIGH: 4, CRITICAL: 3)
┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/cloudflare/circl │ GHSA-9763-4f94-gfch │ HIGH │ fixed │ v1.3.3 │ 1.3.7 │ CIRCL's Kyber: timing side-channel (kyberslash2) │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-9763-4f94-gfch │ ├────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/go-git/go-git/v5 │ CVE-2023-49569 │ CRITICAL │ │ v5.4.2 │ 5.11.0 │ go-git: Maliciously crafted Git server replies can lead to │ │ │ │ │ │ │ │ path traversal and... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49569 │ │ ├─────────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-49568 │ HIGH │ │ │ │ go-git: Maliciously crafted Git server replies can cause DoS │ │ │ │ │ │ │ │ on go-git clients... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49568 │ ├────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/moby/buildkit │ CVE-2024-23652 │ CRITICAL │ │ v0.11.4 │ 0.12.5 │ moby/buildkit: possible host system access from mount stub │ │ │ │ │ │ │ │ cleaner │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23652 │ │ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-23653 │ │ │ │ │ moby/buildkit: Buildkit's interactive containers API does │ │ │ │ │ │ │ │ not validate entitlements check │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23653 │ │ ├─────────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-23651 │ HIGH │ │ │ │ moby/buildkit: possible race condition with accessing │ │ │ │ │ │ │ │ subpaths from cache mounts │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23651 │ ├────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2024-21626 │ │ │ v1.1.8 │ 1.1.12 │ runc: file descriptor leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21626 │ └────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
opt/datadog-agent/embedded/bin/process-agent (gobinary)
Total: 2 (HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤ │ github.com/cloudflare/circl │ GHSA-9763-4f94-gfch │ HIGH │ fixed │ v1.3.3 │ 1.3.7 │ CIRCL's Kyber: timing side-channel (kyberslash2) │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-9763-4f94-gfch │ ├────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼───────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2024-21626 │ │ │ v1.1.8 │ 1.1.12 │ runc: file descriptor leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21626 │ └────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘
opt/datadog-agent/embedded/bin/security-agent (gobinary)
Total: 2 (HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤ │ github.com/cloudflare/circl │ GHSA-9763-4f94-gfch │ HIGH │ fixed │ v1.3.3 │ 1.3.7 │ CIRCL's Kyber: timing side-channel (kyberslash2) │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-9763-4f94-gfch │ ├────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼───────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2024-21626 │ │ │ v1.1.8 │ 1.1.12 │ runc: file descriptor leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21626 │ └────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘
opt/datadog-agent/embedded/bin/system-probe (gobinary)
Total: 7 (HIGH: 4, CRITICAL: 3)
┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/cloudflare/circl │ GHSA-9763-4f94-gfch │ HIGH │ fixed │ v1.3.3 │ 1.3.7 │ CIRCL's Kyber: timing side-channel (kyberslash2) │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-9763-4f94-gfch │ ├────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/go-git/go-git/v5 │ CVE-2023-49569 │ CRITICAL │ │ v5.4.2 │ 5.11.0 │ go-git: Maliciously crafted Git server replies can lead to │ │ │ │ │ │ │ │ path traversal and... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49569 │ │ ├─────────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-49568 │ HIGH │ │ │ │ go-git: Maliciously crafted Git server replies can cause DoS │ │ │ │ │ │ │ │ on go-git clients... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49568 │ ├────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/moby/buildkit │ CVE-2024-23652 │ CRITICAL │ │ v0.11.4 │ 0.12.5 │ moby/buildkit: possible host system access from mount stub │ │ │ │ │ │ │ │ cleaner │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23652 │ │ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-23653 │ │ │ │ │ moby/buildkit: Buildkit's interactive containers API does │ │ │ │ │ │ │ │ not validate entitlements check │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23653 │ │ ├─────────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-23651 │ HIGH │ │ │ │ moby/buildkit: possible race condition with accessing │ │ │ │ │ │ │ │ subpaths from cache mounts │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23651 │ ├────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2024-21626 │ │ │ v1.1.8 │ 1.1.12 │ runc: file descriptor leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21626 │ └────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
opt/datadog-agent/embedded/bin/trace-agent (gobinary)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2024-21626 │ HIGH │ fixed │ v1.1.8 │ 1.1.12 │ runc: file descriptor leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21626 │ └────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘
VM can confirm that vulns GHSA-9763-4f94-gfch for the cloudflare/crcl package and CVE-2023-49569 / CVE-2023-49568 for the packages running go git are patched already, and should be included in the next release. The remaining CVEs containing buildkit and runc packages are still being investigated. @clamoriniere can build on this if needed
The runc vulnerability CVE-2024-21626 applies to runtime components of opencontainers/runc (where runc is used to run a container image). The Datadog agent does not "run" containers but rather leverages runc as a client to get information from running containers and therefore would not be susceptible to this vulnerability. Datadog is targeting to bump the version of runc used in the Agent to v1.1.12 with the Agent v7.52 release, which will help ensure vulnerability scanners do not report this vulnerability. In the interim, this is not a vulnerability that could be exploited within the context of the Agent.
Thank you @TamaraLewis. Does the same logic apply then when looking at https://nvd.nist.gov/vuln/detail/CVE-2024-23652 ? If possible, can Datadog focus on triaging the critical vulnerabilities reported here?
Datadog runs frequent scans against the agent, and have already patched or are working towards patching the vulnerabilities reported in this case.
Hi @TamaraLewis ! Is there any ETA for these vulnerabilities to be remediated?
The moby/buildkit version will be updated in agent v7.52 to address this issue. Additionally, the component within moby/buildkit that is impacted by this vulnerability is not used by the Datadog Agent. @gfoligna-nyshex please see my earlier responses which address all other packages in this list.
Additionally , if you are a Datadog customer, it is best to open these concerns through the zendesk portal, to be addressed by our SEs, as our team does not monitor github. I happened to be forwarded this link. Thank you!
Hi, @TamaraLewis, thank you for the updates. Is there an estimated date for v7.52?
