[Bug, Vulnerability] CVE-2023-48795

[VladislavDubrovenski]

Search before asking

• I had searched in the issues and found no similar issues.

Apache SkyWalking Component

OAP server (apache/skywalking)

What happened

Good day,

The scanner flags CVE-2023-48795 in OAP and UI that I am required to fix to continue using this great project..

The skywalking is deployed using a helm chart.

More information:
OAP:

• fixedVersion: 0.17.0
  installedVersion: v0.0.0-20220411220226-7b82a4e95df4
  lastModifiedDate: "2024-01-29T09:15:42Z"
  links: []
  primaryLink: https://avd.aquasec.com/nvd/cve-2023-48795
  publishedDate: "2023-12-18T16:15:10Z"
  resource: golang.org/x/crypto
  score: 5.9
  severity: MEDIUM
  target: ""
  title: 'ssh: Prefix truncation attack on Binary Packet Protocol (BPP)'
  vulnerabilityID: CVE-2023-48795

UI:

• fixedVersion: 0.9.6-2ubuntu0.22.04.2
  installedVersion: 0.9.6-2ubuntu0.22.04.1
  lastModifiedDate: "2024-01-29T09:15:42Z"
  links: []
  primaryLink: https://avd.aquasec.com/nvd/cve-2023-48795
  publishedDate: "2023-12-18T16:15:10Z"
  resource: libssh-4
  score: 5.9
  severity: MEDIUM
  target: ""
  title: 'ssh: Prefix truncation attack on Binary Packet Protocol (BPP)'
  vulnerabilityID: CVE-2023-4879

What you expected to happen

No vulnerability found

How to reproduce

Install skywalking via helm chart

Anything else

No response

Are you willing to submit a pull request to fix on your own?

• Yes I am willing to submit a pull request on my own!

Code of Conduct

• I agree to follow this project's Code of Conduct

[wu-sheng]

We are not using Go and Python in OAP. I am not sure what you mean. This is a Java project.

[VladislavDubrovenski]

@wu-sheng I understand that, I opened it for OAP. Also, it occurs to me that the image you use for deployment on k8s for UI has the vulnerability. Where should I report this? This vulnerability was present for almost 2 months and my only other remediation is to disable the skywalking which I really don't want to do as I have written custom scripts for it as well..

[wu-sheng]

OK, if you mean images, you need to check whether it is from swctl or something? Because OAP and UI themselves are only Java based.

You could check the docker file, https://github.com/apache/skywalking/blob/master/docker/oap/Dockerfile

About the CLI, it is from https://github.com/apache/skywalking-cli.

[wu-sheng]

Or is this a Linux level CVE? You could repackage the whole thing and get the latest eclipse-temurin:11-jre.

[VladislavDubrovenski]

@wu-sheng I appreciate you reopening this issue. Constantly repackaging every open-source solution would make it a nightmare from maintainability perspective. It seems that many open-source solutions suffer from this vulnerability(even though the library in question was not in use in many, but scans still flag it).

I have several examples where it was already fixed:

Jaeger: jaegertracing/jaeger#5016
Grafana: grafana/grafana#80316
ArgoCD: argoproj/argo-cd#17020
Prometheus: prometheus/prometheus#13512
And others

I understand that this causes certain inconveniences, and I apologize for that, but I had been required to address this particular vulnerability in the past month.

[wu-sheng]

@kezhenxu94 Could you take a look? I think this may be either from base image or a kind of CLI side issues.

[wu-sheng]

CLI fixed at apache/skywalking-cli#199