Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Dependency vulnerabilities

See original GitHub issue

APM Agent version

Higher than 1.9.0

Environment

.NET 5 :

Describe the bug

In our company we make use of a tool called DotNetRetire (https://github.com/RetireNet/dotnet-retire) in our CI pipeline.

Since version 1.9.0 of the Elastic.Apm.NetCoreAll we have not been able to upgrade the dependency packges because of the following security issues:

PS.: I have sended an email about this to security@elastic.co a while back, but got no response. 😞

fail: RetireNet.Packages.Tool.Services.RetireLogger[0]
111      Found use of 3 vulnerable libs in 5 dependency paths.
112     
113      * Microsoft Security Advisory CVE-2018-8416: .NET Core Tampering Vulnerability in System.IO.Compression.ZipFile/4.0.1
114      https://github.com/dotnet/announcements/issues/95
115     
116          Elastic.Apm.NetCoreAll/1.11.0
117          ╚ Elastic.Apm.MongoDb/1.11.0
118           ╚ MongoDB.Driver.Core/2.4.4
119            ╚ MongoDB.Bson/2.4.4
120             ╚ NETStandard.Library/1.6.0
121              ╚ System.IO.Compression.ZipFile/4.0.1
122     
123          Elastic.Apm.NetCoreAll/1.11.0
124          ╚ Elastic.Apm.MongoDb/1.11.0
125           ╚ MongoDB.Driver.Core/2.4.4
126            ╚ NETStandard.Library/1.6.0
127             ╚ System.IO.Compression.ZipFile/4.0.1
128     
129      * Microsoft Security Advisory CVE-2018-8292: .NET Core Information Disclosure Vulnerability in System.Net.Http/4.1.0
130      https://github.com/dotnet/announcements/issues/88
131     
132          Elastic.Apm.NetCoreAll/1.11.0
133          ╚ Elastic.Apm.MongoDb/1.11.0
134           ╚ MongoDB.Driver.Core/2.4.4
135            ╚ MongoDB.Bson/2.4.4
136             ╚ NETStandard.Library/1.6.0
137              ╚ System.Net.Http/4.1.0
138     
139          Elastic.Apm.NetCoreAll/1.11.0
140          ╚ Elastic.Apm.MongoDb/1.11.0
141           ╚ MongoDB.Driver.Core/2.4.4
142            ╚ NETStandard.Library/1.6.0
143             ╚ System.Net.Http/4.1.0
144     
145      * Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege in System.Net.Security/4.0.0
146      https://github.com/dotnet/corefx/issues/19535
147     
148          Elastic.Apm.NetCoreAll/1.11.0
149          ╚ Elastic.Apm.MongoDb/1.11.0
150           ╚ MongoDB.Driver.Core/2.4.4
151            ╚ System.Net.Security/4.0.0

To Reproduce

Runing the C.I. with the use of the DotNetRetire

Issue Analytics

State:
Created 2 years ago
Comments:6 (5 by maintainers)

Top GitHub Comments

1reaction

gregkalaposcommented, Sep 27, 2021

@matheus-inacio thanks for reporting.

As an immediate workaround: I see it’s caused by the MondoDb driver - have you considered referencing the Elastic.Apm package and other packages you need manually, leaving out MondoDb? Or is this not an option? It’s not a lot of work - you’ll need to manually reference packages and during initialization you’ll need to enable what you use, leaving out MondoDb. Some docs on this here.

This above is just a quick idea as a workaround - we’ll look int the specific issue as well.

0reactions

gregkalaposcommented, Sep 29, 2022

Short summary:

In the agent we always target the lowest possible version of a given library, but that does not mean that specific version must be loaded at runtime. Typically, user code can depend on a newer version and the agent will be happy with it, it won’t force the older version (the specific one the agent depends on) to be loaded.

So I feel these reports are false positive and the solution is to just update the application to a newer version (in this case MongoDb) and then the version with the vulnerability won’t get loaded.

At the same time with this approach the agent can target the oldest possible version and maximize the list of supported versions.