Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The latest docker tag has a critical vulnerability #32717

Closed
mansingcollis opened this issue Jan 7, 2025 · 6 comments
Closed

The latest docker tag has a critical vulnerability #32717

mansingcollis opened this issue Jan 7, 2025 · 6 comments
Labels
team/container-integrations

Comments

@mansingcollis
Copy link

Hello team, we've found 1 critical vulnerability in the latest docker image tag of Datadog Agent. Do you have any plan to remediate this please?

Docker Image Tag: 7.60.1
Severity: CRITICAL
CVE: CVE-2025-21613
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Thanks.
@clamoriniere
Copy link
Contributor

Hi @mansingcollis

Thank you for bringing this vulnerability to our attention.

We have initiated an investigation to assess the potential exposure of the Datadog Agent to this vulnerability. Based on our initial analysis, we have identified that the affected package is an indirect dependency used in our Container and Host SBOM collection feature, which is part of the Infrastructure Vulnerability product. However, our usage of the direct dependency does not involve any go-git capabilities. As such, the likelihood of exploiting this vulnerability within the context of the Datadog Agent remains minimal.

Although this vulnerability is not directly exploitable within the Agent container, we plan to release a new version addressing it as soon as possible to clear up the CVE for scanner reports. We will keep you updated on our progress and any further developments regarding this issue. If you have additional details or concerns, please don’t hesitate to reach out.

@mansingcollis
Copy link
Author

@clamoriniere - Do you know how soon you will release a new version, please? Thanks.

@gbiv
Copy link

gbiv commented Jan 13, 2025
edited
Loading

We noticed a brief period of time where the agent wasn't available for linux/amd64. Did something happen here where the impacted images were deleted?

@mark-jones-rga
Copy link

This is also something that we need resolved. How can one tell which go.git version is being used? I am having a hard time finding that.

@matthewcorven
Copy link

Also eager to see resolution

@FlorentClarret
Copy link
Member

Hi everyone! 👋

We noticed a brief period of time where the agent wasn't available for linux/amd64. Did something happen here where the impacted images were deleted?

Correct, we had an issue with the 7 tag in our container registries. Only the windows/amd64 image was available for this tag. This was discussed in this issue.

Do you know how soon you will release a new version, please? Thanks.

@mansingcollis @matthewcorven @mark-jones-rga: the patch for this CVE is included in the 7.61.0 release that happened last Monday. The complete patch note is available here.

I'm going to close this issue, do not hesitate to ping us if you have any questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
team/container-integrations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@clamoriniere @FlorentClarret @matthewcorven @gbiv @mark-jones-rga @mansingcollis