backman:1.22.0 vulnerabilities

[rhysmeister]

Hello,

I use the latest version of backman in the Swisscom iAPC. I've received a notification about the following vulnerabilities in the image. Can these be easily resolved?

CVE-2018-20839, CVE-2020-14039, CVE-2020-14040, CVE-2020-15366, CVE-2020-16845, CVE-2020-24553, CVE-2020-26160, CVE-2020-28366, CVE-2020-28367, CVE-2020-7754, CVE-2020-9794

Cheers,

R

[akovov]

Today got letter with new list of vulnerabilities backman v1.28.0
1 high (CVE-2020-28472), 6 medium (CVE-2018-20839, CVE-2020-26160, CVE-2020-28852, CVE-2020-29652, CVE-2020-9794, CVE-2021-23336)

[padyx]

I had analyzed some of them before I opened PR #47:

1. CVE-2020-28472 (high): Due to embedded component elasticdump, which depends on a vulnerable version of aws-sdk.
   However it could be a false positive, since elasticdump itself does not really use the vulnerable features (yet).
   I had raised an issue with them, but they closed it without comment: Elasticsearch-dump#783
2. CVE-2020-28852, CVE-2020-29652: Looks like "go" vulnerabilities from the mongodb-tools which still contain the old version of the golang mongodb-driver (1.4.2). But there seems to be now newer version where the driver is updated according to the changelog.
3. CVE-2020-26160: Concerns dgrijalva/jwt-go. There seems only a preview of a new version. etcd even switched to a completly different library
4. CVE-2020-9794: sqlite3. Not fixed upstream in Ubuntu yet, as it's unclear if they're even affected.
5. CVE-2021-2333: Python (3.8.5-1~20.04.2). Remediate by upgrading to newer python version.

So only the last one is "easily" fixable by building a new version and making sure that the python packages are updated.

[akovov]

list of current vulnerabilities in 1.28.0:

• 12 high: CVE-2020-28472, CVE-2021-32803, CVE-2021-32804, CVE-2021-33910, CVE-2021-3449, CVE-2021-3711, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-3807, CVE-2021-38297, CVE-2021-41720
• 104 medium: CVE-2018-20839, CVE-2020-14155, CVE-2020-26160, CVE-2020-28852, CVE-2020-29652, CVE-2020-9794, CVE-2021-20305, CVE-2021-2146, CVE-2021-2162, CVE-2021-2164, CVE-2021-2166, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-22924, CVE-2021-22925, CVE-2021-2293, CVE-2021-22946, CVE-2021-22947, CVE-2021-2298, CVE-2021-2299, CVE-2021-2300, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-23336, CVE-2021-23343, CVE-2021-23362, CVE-2021-2339, CVE-2021-2340, CVE-2021-2342, CVE-2021-2352, CVE-2021-2354, CVE-2021-2356, CVE-2021-2357, CVE-2021-2367, CVE-2021-2370, CVE-2021-2372, CVE-2021-2374, CVE-2021-2383, CVE-2021-2384, CVE-2021-2385, CVE-2021-2387, CVE-2021-2389, CVE-2021-2390, CVE-2021-2399, CVE-2021-2402, CVE-2021-2410, CVE-2021-2417, CVE-2021-2418, CVE-2021-2422, CVE-2021-2424, CVE-2021-2425, CVE-2021-2426, CVE-2021-2427, CVE-2021-2429, CVE-2021-2437, CVE-2021-2440, CVE-2021-2441, CVE-2021-2444, CVE-2021-27290, CVE-2021-27918, CVE-2021-29921, CVE-2021-32027, CVE-2021-32028, CVE-2021-32029, CVE-2021-32803, CVE-2021-32804, CVE-2021-33194, CVE-2021-33196, CVE-2021-33198, CVE-2021-3520, CVE-2021-3580, CVE-2021-36221, CVE-2021-36222, CVE-2021-3634, CVE-2021-3677, CVE-2021-3712, CVE-2021-3770, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-3778, CVE-2021-3796, CVE-2021-40528