Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opentelemetry-operator/autoinstrumentation-java having Snake yaml vulnerability #1313

Open
Ripurwar80 opened this issue Dec 12, 2022 · 6 comments
Open

opentelemetry-operator/autoinstrumentation-java having Snake yaml vulnerability #1313

Ripurwar80 opened this issue Dec 12, 2022 · 6 comments
Labels
area:auto-instrumentation Issues for auto-instrumentation auto-instrumentation:java

Comments

@Ripurwar80
Copy link

Name Resource Resource Path Severity Score Fix Version
CVE-2022-41854 snakeyaml /javaagent.jar medium 6.5 None
@pavolloffay
Copy link
Member

@Ripurwar80 in which Java auto-instrumentation image is the vulnerability?

We have just published 1.21.0 https://github.com/open-telemetry/opentelemetry-operator/pkgs/container/opentelemetry-operator%2Fautoinstrumentation-java does it fixe the issue?

@pavolloffay pavolloffay added the area:auto-instrumentation Issues for auto-instrumentation label Dec 19, 2022
@Ripurwar80
Copy link
Author

CVE-2022-28391 busybox /bin/busybox high 8.8 None
CVE-2022-23218 glibc /bin/getconf critical 9.8 None
CVE-2022-23219 glibc /bin/getconf critical 9.8 None
CVE-2021-35942 glibc /bin/getconf critical 9.1 None
CVE-2020-6096 glibc /bin/getconf high 8.1 None
CVE-2021-3326 glibc /bin/getconf high 7.5 None
CVE-2021-38604 glibc /bin/getconf high 7.5 None
CVE-2020-1752 glibc /bin/getconf high 7 None
CVE-2019-25013 glibc /bin/getconf medium 5.9 None
CVE-2020-10029 glibc /bin/getconf medium 5.5 None
CVE-2020-27618 glibc /bin/getconf medium 5.5 None
CVE-2020-29562 glibc /bin/getconf medium 4.8 None
CVE-2021-27645 glibc /bin/getconf low 2.5 None
CVE-2005-0602 unzip /bin/unzip medium 6.2 None
CVE-2001-1268 unzip /bin/unzip low 2.1 None
CVE-2001-1269 unzip /bin/unzip low 2.1 None

CVE-2022-28391 busybox /bin/busybox high 8.8 None
CVE-2022-23218 glibc /bin/getconf critical 9.8 None
CVE-2022-23219 glibc /bin/getconf critical 9.8 None
CVE-2021-35942 glibc /bin/getconf critical 9.1 None
CVE-2020-6096 glibc /bin/getconf high 8.1 None
CVE-2021-3326 glibc /bin/getconf high 7.5 None
CVE-2021-38604 glibc /bin/getconf high 7.5 None
CVE-2020-1752 glibc /bin/getconf high 7 None
CVE-2019-25013 glibc /bin/getconf medium 5.9 None
CVE-2020-10029 glibc /bin/getconf medium 5.5 None
CVE-2020-27618 glibc /bin/getconf medium 5.5 None
CVE-2020-29562 glibc /bin/getconf medium 4.8 None
CVE-2021-27645 glibc /bin/getconf low 2.5 None
CVE-2005-0602 unzip /bin/unzip medium 6.2 None
CVE-2001-1268 unzip /bin/unzip low 2.1 None
CVE-2001-1269 unzip /bin/unzip low 2.1 None

@pavolloffay
Copy link
Member

It seems that the vulnerability comes from the busybox base image.

The busybox is used in java and dotnet auto-instrumentation images.

@pavolloffay
Copy link
Member

@Ripurwar80 but could you please check if image https://github.com/open-telemetry/opentelemetry-operator/pkgs/container/opentelemetry-operator%2Fautoinstrumentation-java/59535006?tag=1.21.0 has been fixed?

@jaronoff97
Copy link
Contributor

jaronoff97 commented Nov 28, 2023
edited
Loading

@Ripurwar80 is this still an issue?

@jaronoff97 jaronoff97 reopened this Nov 28, 2023
@jaronoff97
Copy link
Contributor

I actually think this is still a problem, but #1600 has more solutions proposed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:auto-instrumentation Issues for auto-instrumentation auto-instrumentation:java
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pavolloffay @jaronoff97 @Ripurwar80