synopsis security scanning is reporting these vulnerabilities with telegraf executable

[matts19]

Supposedly /usr/bin/telegraf binary is including the vulnerable versions of github, etcd and moby.

At first these looked like false positives since I thought it had nothing to do with them, but I found that these may be input plugins whereby telegraf might have taken code from these products.

For example this is a docker (moby) input plugin and it is old enough to have vulnerabilities: https://github.com/influxdata/telegraf/tree/release-1.7/plugins/inputs/docker

I'd be great to have them updated to the latest versions or clarify them as some vulnerabilities have a high CVSSv3 score.

[ssoroka]

Couple thoughts on this.

1. Typically Telegraf is not exposed to public networks, so I would imagine this risk is low, and can be mostly disregarded for anyone not exposing Telegraf to external traffic.
2. You referenced release-1.7, we're on 1.15.2. Not sure if you're saying 1.7 is old and has issues or 1.15 is using an old dependency that has issues.
3. I don't really know what's meant by moby, "github", and etcd. these are not direct dependencies of Telegraf (Telegraf does not install or import them), so I don't see how that's relevant. Is this a concern with the Debian packaging?

We'd be interested in reviewing the list of vulnerabilities anyway.

[matts19]

Couple thoughts on this.

1. Typically Telegraf is not exposed to public networks, so I would imagine this risk is low, and can be mostly disregarded for anyone not exposing Telegraf to external traffic.

2. You referenced release-1.7, we're on 1.15.2. Not sure if you're saying 1.7 is old and has issues or 1.15 is using an old dependency that has issues.

3. I don't really know what's meant by moby, "github", and etcd. these are not direct dependencies of Telegraf (Telegraf does not install or import them), so I don't see how that's relevant. Is this a concern with the Debian packaging?

We'd be interested in reviewing the list of vulnerabilities anyway.

On 2. I stand corrected .The correct link should be https://github.com/influxdata/telegraf/tree/master/plugins/inputs/docker. The security scan happens to be done against the latest telegraf debian, with the result I posted above, but I could have scanned zip or other formats (i.e. debian has nothing to do with the scan result I believe).

On 3. Since moby, etcd, and github were identified as vulnerable, I thought maybe telegraf had statically linked with them or maybe taken part of their code or something.

Since the scan uses either the fingerprint or the hashsum of the components, I thought there had to be a reason why it detected github/moby/etcd in the telegraf executable so I wanted to report it to be triaged. It sounds like you are saying that the scan results are false positives based on the fact that telegraf does not directly depend on these identified components. Should anything new comes out of your deeper review of the scan result, do keep me posted here. Thank you!

[sjwang90]

@darinfisher Is this something you could review and provide feedback?

[darinfisher]

@sjwang90 I did a quick review and found only the github library requires more research, see below.
This was not a deep dive and we should run this through regular code analysis. We will be implementing this shortly.

Moby - Not a concern

The code does not seem to be used anywhere anymore. All references are in comments within the code.
Files reviewed:

• plugins/inputs/docker/docker.go
• plugings/inputs/docker_log/docker_log.go
• plugins/inputs/ecs/stats.go

etcd - Not a concern

Looks like this is only used for testing purposes.
Files reviewed:

• internal/docker/docker_test.go
• plugins/inputs/docker
  • /docker_test.go
  • /docker_testdata.go

github - Requires deeper analysis

We have two plugins utilizing the github libraries, Github and Webhooks Github.
We probably only need to update the 'github' Go library used for the build.
Files reviewed:

• plugins/inputs/github/...
• plugins/inputs/webhooks/github/...

[p-zak]

Hello, I performed deeper dive and here are some results.

I built binary from master (2020.09.07, last commit: 6324b1f), made a scan and here is default result:

We can see that BDBA didn't recognize proper versions of dependencies.
Lets make some overrides in BDBA:

1. moby - what is is? Formerly it was known as docker. You can see that URI of docker dependency (https://github.com/docker/docker) redirects to moby (https://github.com/moby/moby). But using https://github.com/docker/docker in go.mod still works.
   Version used in go.mod: v1.4.2-0.20180327123150-ed7b6428c133
   Timestamp from this version leads us to v18.04.0-ce release.
2. github - in go.mod we can find version: github.com/google/go-github v17.0.0+incompatible - so I will use v17.0.0 in BDBA.
3. etcd - only used as docker image in tests files but somehow it is mentioned in binary and found by BDBA (I can even found it in binary when I open it in notepad). Everywhere version "v2.2.2" is used.

After version overrides scan looks like this:

So there had been few false positives because of wrong versions of dependencies, but there are still some problems - mainly in old version of moby/docker used in 3 input plugins:

• docker
• docker_log
• ecs

Lets change version of moby/docker in go.mod to the newest one: github.com/docker/docker v19.03.12. After go mod tidy it will be changed to github.com/docker/docker v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible.

Scan result after this change:

Much better :)

To fix "problem" with etcd all v2.2.2 versions can be changed to the newest version: v3.3.25 (also tests in plugins/inputs/docker/docker_test.go should be adjusted)

[darinfisher]

Thank you @p-zak for the quality analysis.
I am in agreement with @p-zak, we should upgrade the versions of the etcd and docker (moby) libraries. Though the security concern is very minimal because the libraries are only used during the pre-release testing processes.

[p-zak]

Thank you @p-zak for the quality analysis.
I am in agreement with @p-zak, we should upgrade the versions of the etcd and docker (moby) libraries. Though the security concern is very minimal because the libraries are only used during the pre-release testing processes.

@darinfisher
etcd is used during testing process.
As far as I understand, moby (docker) is used in 3 input plugins.

[darinfisher]

Thank you @p-zak for the quality analysis.
I am in agreement with @p-zak, we should upgrade the versions of the etcd and docker (moby) libraries. Though the security concern is very minimal because the libraries are only used during the pre-release testing processes.

@darinfisher
etcd is used during testing process.
As far as I understand, moby (docker) is used in 3 input plugins.

Correct, docker is used in 3 other plugins. The only hard calls I could find in these are related to typing.
Even so, we should update to the modern libraries. Also update to the 'moby' namespace.

[matts19]

Here is the latest scan against latest telegraf release. We are down to only two vulnerabilities (thanks!) That said I do see sqlite being vulnerable which I had not seen recently, so this must be a newly introduced component. If someone could have a look at the remaining items I'd be very thankful ! Regards.

[p-zak]

@matts19

Hi! sqlite3 3.1.1 was wrongly identified - it is not used by Telegraf. Instead of it, modernc.org/sqlite v1.7.4 should be identified (sqlite driver, not DB itself).

moby - wrong version was identified (as I wrote few weeks ago: v19.03.12 is used in Telegraf binary).

[powersj]

I am going to close this as the versions mentioned here have long been updated since this was filed. If there are additional issues that come up, please do follow our security.md for reporting them.

Thanks!