logstash icon indicating copy to clipboard operation
logstash copied to clipboard

Published 20 hours ago verified publisher icon elastic

CVE-2020-14001 Kramdown gem version

Open calexander3 opened this issue 5 years ago • 10 comments

It looks like the version of Kramdown that you are using has a security issue filed. Could you please update the version?

https://security-tracker.debian.org/tracker/CVE-2020-14001

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

calexander3 avatar Aug 21 '20 17:08 calexander3

Note: kramdown is a transitive development dependency by way of logstash-devutils, and is not included in distributed packages.

yaauie avatar Aug 22 '20 04:08 yaauie

Note: kramdown is a transitive development dependency by way of logstash-devutils, and is not included in distributed packages.

Does that mean that even though it is in the Gemfile.lock of the installed it is not actually present? I downloaded Logstash from here: https://artifacts.elastic.co/downloads/logstash/logstash-7.9.0.zip.

calexander3 avatar Aug 24 '20 19:08 calexander3

The only reference to kramdown that is included in the distributed artifact is an adapter within tilt (not kramdown itself):

╭─{ yaauie@limbo:~/src/elastic/logstash (✘ master) }
╰─● unzip -l ~/Downloads/logstash-7.9.0.zip | grep kramdown                              
      514  08-12-2020 00:03   logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/tilt-2.0.10/lib/tilt/kramdown.rb
[success]

yaauie avatar Sep 04 '20 05:09 yaauie

My pipeline has also failed when using trivy to inspect the following Logstash image: docker.elastic.co/logstash/logstash-oss , for both 7.9.2-SNAPSHOT and 8.0.0-SNAPSHOT .

image

rbrayner avatar Sep 14 '20 17:09 rbrayner

My pipeline fails because now is CRITICAL image

I tried using 7.9.3 and 7.10.0 docker images

brunocascio avatar Nov 13 '20 16:11 brunocascio

Same issue here. Looks like it needs to be fixed in tilt first, as @yaauie mentioned in https://github.com/elastic/logstash/issues/12199#issuecomment-686916763

I created on issue on the tilt repository as well: https://github.com/rtomayko/tilt/issues/358

Joengenduvel avatar Nov 18 '20 15:11 Joengenduvel

@Joengenduvel The kramdown dependency does not come from tilt, but rather from logstash-devutils. I created an issue there.

I am still not sure whether this means that it is an issue for logstash as well or not. Is logstash-devutils only used within logstash's build, or is it present in the final image as well?

flauflauf avatar Jan 06 '21 17:01 flauflauf

Looking inside the logstash image, logstash-devutils does not seem to be among the installed gems:

[root@f4a80e189b4a logstash]# gem list

*** LOCAL GEMS ***

bigdecimal (1.2.0)
io-console (0.4.2)
json (1.7.7)
psych (2.0.0)
rdoc (4.0.0)
[root@f4a80e189b4a logstash]# ls /usr/share/gems/gems/
bigdecimal-1.2.0  io-console-0.4.2  json-1.7.7  psych-2.0.0  rdoc-4.0.0

Does that mean logstash is unaffected by the CVE?

flauflauf avatar Jan 06 '21 17:01 flauflauf

Does that mean logstash is unaffected by the CVE?

Yes. As we have previously indicated, kramdown is not included in released Logstash packages and therefore releases of Logstash are not affected by the CVE. It shows up in the Gemfile.lock because it is a development dependency.

Note: kramdown is a transitive development dependency by way of logstash-devutils, and is not included in distributed packages.

yaauie avatar Jan 07 '21 07:01 yaauie

since this still comes up in security scans I wonder why you don't update the dev dependencies, too?

dominik-ba avatar Jul 20 '22 12:07 dominik-ba