Critical & High Security vulnerability issue in Kapacitor Daemon with Trivy Scan

[sathyendranv]

Hi Team,

We are using kapacitor as part of TICK stack. Recently when we ran trivy scan we found 1 high issue with Kapacitor Daemon(v1.7.4). So we tried the latest version(v1.7.5), same issue was existing. This fixes is essential for our releases. Please a fix the vulnerability issue.

Below is the report from Trivy scan:

Kapacitor Daemon Version 1.7.4

Trivy Vulnerability Scan Results (usr/local/bin/kapacitord)

VulnerabilityID	Severity	CVSS Score	Title	Library	Vulnerable Version	Fixed Version	Information URL	Triage Information
CVE-2022-21698	HIGH	7.5	prometheus/client_golang: Denial of service using InstrumentHandlerCounter	github.com/prometheus/client_golang	v1.10.0	1.11.1	https://avd.aquasec.com/nvd/cve-2022-21698

Kapacitor Daemon Version 1.7.5

Trivy Vulnerability Scan Results (usr/local/bin/kapacitord)

VulnerabilityID	Severity	CVSS Score	Title	Library	Vulnerable Version	Fixed Version	Information URL	Triage Information
CVE-2022-21698	HIGH	7.5	prometheus/client_golang: Denial of service using InstrumentHandlerCounter	github.com/prometheus/client_golang	v1.10.0	1.11.1	https://avd.aquasec.com/nvd/cve-2022-21698
CVE-2024-24791	MEDIUM		net/http: Denial of service due to improper 100-continue handling in net/http	stdlib	1.22.4	1.21.12, 1.22.5	https://avd.aquasec.com/nvd/cve-2024-24791

[sathyendranv]

With Kapacitor Daemon(v1.7.4 and v1.7.5)

Trivy Vulnerability Scan Results (usr/local/bin/kapacitord)
VulnerabilityID	Severity	CVSS Score	Title	Library	Vulnerable Version	Fixed Version	Information URL	Triage Information
CVE-2024-41110	CRITICAL		moby: Authz zero length regression	github.com/docker/docker	v24.0.9+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6	https://avd.aquasec.com/nvd/cve-2024-41110
CVE-2022-21698	HIGH	7.5	prometheus/client_golang: Denial of service using InstrumentHandlerCounter	github.com/prometheus/client_golang	v1.10.0	1.11.1	https://avd.aquasec.com/nvd/cve-2022-21698

[jdstrand]

Thank you for your report.

Below is the report from Trivy scan:

• CVE-2022-21698 is GHSA-cg3q-j54f-5p7p. kapacitor imports github.com/prometheus/client_golang/prometheus and not the affected github.com/prometheus/client_golang/promhttp and so this does not affect kapacitor
• CVE-2024-24791 is GHSA-hw49-2p59-3mhj and this assignment has not been reviewed by GitHub and there haven't been dependabot alerts for it. That said, this is mostly a client issue but also affects servers that use net/http/httputil.ReverseProxy and kapacitor does not use net/http/httputil.ReverseProxy
• CVE-2024-41110 is GHSA-v23v-6jw2-98fq applies to Docker Engine and authz to the Docker Engine API. While kapacitor does import github.com/docker/docker for github.com/docker/docker/api/types and github.com/docker/docker/api/types/swarm, it does not provide the Docker Engine API and is not affected

InfluxData closely follows security alerts across its product line and will issue updates for kapacitor to address issues that affect it. These updates may include updates that happen to make these Trivy issues go away, but as these are false positives for kapacitor, there aren't plans to release a new update for kapacitor for these issues at this time. (cc @srebhan and @davidby-influx).

Thanks again for your report

[itaysk]

Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis for your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub
Feel free to reach me or the Trivy team if you have any issues/feedback.