CVE-2023-2454

[yasinmoha]

Any update on CVE mentioned below on version 2.1.2

Library : libpq5
Vulnerability: CVE-2023-2454
Severity: High
Installed Version: Installed Version
Fixed Version: 13.11-0+deb11u1
Title: schema_element defeats protective search_path changes https://avd.aquasec.com/nvd/cve-2023-2454

[patrick-stephens]

Looking at the 2.1.3 image which was released yesterday, Trivy (used because you're linking to Aqua's CVE report there) does not show the CVE. The image actually installs the version it is fixed in so you should step up to 2.1.3.

Using Grype shows the 2.1.2 image has this CVE with an unknown severity but it is fixed in 2.1.3 because we include the updated version:

$ docker run --rm \
--volume /var/run/docker.sock:/var/run/docker.sock \
--name Grype anchore/grype:latest fluent/fluent-bit:2.1.3
NAME              INSTALLED              FIXED-IN     TYPE  VULNERABILITY     SEVERITY   
...
libpq5            13.11-0+deb11u1        (won't fix)  deb   CVE-2022-41862    Low         
...
$ docker run --rm --volume /var/run/docker.sock:/var/run/docker.sock --name Grype anchore/grype:latest fluent/fluent-bit:2.1.2
NAME              INSTALLED              FIXED-IN         TYPE  VULNERABILITY     SEVERITY   
...
libpq5            13.9-0+deb11u1         (won't fix)      deb   CVE-2022-41862    Low         
libpq5            13.9-0+deb11u1         13.11-0+deb11u1  deb   CVE-2023-2454     Unknown     
libpq5            13.9-0+deb11u1         13.11-0+deb11u1  deb   CVE-2023-2455     Unknown     
...

OSS does not rebuild or backport CVEs for existing releases so you have to upgrade to a release with it resolved in or contact an Enterprise supplier: https://fluentbit.io/enterprise/

Can you confirm the actual target you are using here, i.e. container, OS, etc.? If it is for an EOL OS then it is unlikely to have a fix in the upstream repository as well unless the vendor or provider of that distribution adds it. System dependencies like this come from the distribution you are installing for so must be fixed there. Also ensure your installation is pulling the latest version of these dependencies and has not pinned or otherwise restricted the version.

The link you've shared shows this is not a publicly disclosed vulnerability and there are no fixes for it yet in the upstream which I think is wrong - the better link is probably https://www.postgresql.org/support/security/CVE-2023-2454/

That shows Postgresql released a fix on the 11th of May which is after the 2.1.2 date so it would be impossible to include in 2.1.2. The statement seems to be:

This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.

Now, that means it can be mitigated via your own protection and database best practices on access controls.

[yasinmoha]

I ran the trivy scan on the image 2.1.3 and its come with 0 findings now for critical and high so we are good.