Critical vulnerability CVE-2020-14001 in Kramdown runtime dependency

[flauflauf]

logstash-devutils has a runtime dependency to the outdated Kramdown version 1.14.0. This causes Trivy to report the critical vulnerability CVE-2020-14001 for logstash as a whole:

$ trivy --exit-code 1 --severity CRITICAL docker.elastic.co/logstash/logstash:7.9.3
2021-01-06T17:10:53.942Z        INFO    Need to update DB
2021-01-06T17:10:53.942Z        INFO    Downloading DB...
19.57 MiB / 19.57 MiB [----------------------------------------------------------------------------------------------------------------------------] 100.00% 6.69 MiB p/s 3s
2021-01-06T17:11:14.850Z        WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2021-01-06T17:11:14.850Z        WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2021-01-06T17:11:14.850Z        INFO    Detecting RHEL/CentOS vulnerabilities...
2021-01-06T17:11:14.850Z        INFO    Detecting ruby vulnerabilities...

docker.elastic.co/logstash/logstash:7.9.3 (centos 7.8.2003)
===========================================================
Total: 0 (CRITICAL: 0)


usr/share/logstash/Gemfile.lock
===============================
Total: 1 (CRITICAL: 1)

+----------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| kramdown | CVE-2020-14001   | CRITICAL | 1.14.0            | 2.3.0         | rubygem-kramdown: processing   |
|          |                  |          |                   |               | template options inside        |
|          |                  |          |                   |               | documents allows unintended    |
|          |                  |          |                   |               | read access or embedded...     |
+----------+------------------+----------+-------------------+---------------+--------------------------------+

Trivy deduces this by reading logstash's Gemfile.lock file, which contains the following:

    logstash-devutils (1.3.6-java)
      fivemat
      gem_publisher
      insist (= 1.0.0)
      kramdown (= 1.14.0)
      logstash-core-plugin-api (>= 2.0, <= 2.99)
      minitar
      rake
      rspec (~> 3.0)
      rspec-wait
      stud (>= 0.0.20)

An update of kramdown to version 2.3.0 would fix the issue.

[Teja307]

Any update on this issue ? By keeping kramdown to hardcoded version, logstash-devutils (logstash-devutils 2.4.0 as of now) latest versions still contains the critical vulnerability for kramdown. We cannot upgrade kramdown package separately using gemfile as it throws incompatible errors

Bundler could not find compatible versions for gem "kramdown":                                                                
#10 34.59   In Gemfile:
#10 34.59     kramdown (~> 2.4.0)
#10 34.59 
#10 34.59 logstash-devutils (~> 2.4.0.pre.java) was resolved to 2.4.0, which depends
#10 34.59 on
#10 34.59       kramdown (= 1.14.0)

Can someone please take a look on this and update the kramdown dependency version in upcoming releases of logstash-devutils ? this will help in running latest version of utils without any vulnerabilities.

[duerra]

We are still encountering this CRITICAL rated CVE. Can the logstash team please advise or post a bulletin if logstash is not affected?