datadog-agent icon indicating copy to clipboard operation
datadog-agent copied to clipboard
verified publisher icon DataDog

[BUG] datadog agent CVE-2023-4807

Open more-urgent-jest opened this issue 1 year ago • 6 comments

When the latest agent, v 7.54.1.0 is installed it install a vulnerable version of OpenSSL into:

c:\program files\datadog\datadog agent\embedded3\lib\site-packages\confluent_kafka.libs

specifically:

libcrypto-3-x64-635e87f2c9173c8128924a94337627b3.dll libssl-3-x64-a0018292260ae8557aa3cd7db7d50307.dll

which are both version 3.0.8

these vulnerabilities are flagged up by azure cloud defender:

CVE-2023-4807 | High CVE-2023-2650 | Medium CVE-2023-5363 | Medium CVE-2023-2975 | Medium CVE-2023-0464 | Medium CVE-2024-2511 | Low CVE-2023-3817 | Low CVE-2023-5678 | Low CVE-2023-0466 | Low CVE-2023-1255 | Low CVE-2023-0465 | Low CVE-2023-6237 | Low CVE-2024-0727 | Low

could you please update the install to use a later version,

more-urgent-jest avatar Jun 26 '24 22:06 more-urgent-jest

See also #24745 I checked and it looks like updating the datadog-kafka-consumer integration to 4.4.0 should also update the Python dependencies which come with a newer OpenSSL version. However I had no success, the folder with the old DLLs remained.

delreluca avatar Jun 28 '24 18:06 delreluca

Confluent has released the fix in version 2.4.0 in May, and now even 2.5.0 is released. Can we get someone from Datadog to update the dependency to finally fix this vulnerability?

https://github.com/confluentinc/confluent-kafka-python/releases/tag/v2.5.0

trapeznikov avatar Jul 17 '24 15:07 trapeznikov

@trapeznikov you should be able to get v2.4.0 with Agent v7.55.0. We'll likely bump to v2.5.0 in Agent 7.57 or 7.58.

iliakur avatar Jul 18 '24 09:07 iliakur

I still have the vulnerable OpenSSL DLL after upgrading the Agent yesterday. Is it a packaging bug or how can that be?

delreluca avatar Jul 18 '24 17:07 delreluca

I just updated some Windows Server 2022 Datacenter Azure Edition servers to use 7.55.1 via the latest msi and the dlls in c:\program files\datadog\datadog agent\embedded3\lib\site-packages\confluent_kafka.libs are still version 3.0.8.

am I doing something wrong?

more-urgent-jest avatar Jul 29 '24 03:07 more-urgent-jest

this still doesn't seem to be fixed as I just installed 7.57.0.0 and those dlls are still the old version.

Are they even used or can I delete them?

more-urgent-jest avatar Sep 11 '24 21:09 more-urgent-jest

This issue is still presen after updating to agent version 7.58.0 Same location C:\Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs

filenames: libcrypto-3-x64-dee5737be664dc34cad7e22a92cf035c.dll libssl-3-x64-ef7b632c1621721a2bf84b10a5e53c36.dll

Any further action which can be taken?

dbrown-tiimely avatar Oct 24 '24 06:10 dbrown-tiimely

In an effort to clean up old issues and resolve them before closing, all of the included CVEs have been researched on the latest version of the Datadog Agent (7.64.3) and and have confirmed that they have all been patched

stephengroat-dd avatar Apr 17 '25 19:04 stephengroat-dd

Hi @more-urgent-jest (et al), Thank you for reporting this issue. As the underlying problem seems to have been resolved, I will close it but feel free to reopen it if you are still encountering the mentioned findings.

sgnn7 avatar Apr 25 '25 19:04 sgnn7