Upgrade kardianos service due to CVE-2022-29583
Summary
When running a scan on GitLab Runner, the vulnerabilty CVE-2022-29583 shows up in scans as a high severity vulnerability.
This came up in a Zendesk Ticket - internal only.
The customer is using azure defender to scan the GitLab Runner image.
The vulnerability also appears when running a scan using Grype.
It also seems that this vulnerability was disputed but it's still showing up in scans:
- https://github.com/advisories/GHSA-xm99-6pv5-q363
- https://github.com/kardianos/service/issues/289#issuecomment-1110546798
- https://github.com/kardianos/service/pull/290#issuecomment-1110547769
CVE-2022-29583
- https://github.com/kardianos/service/pull/290
- https://nvd.nist.gov/vuln/detail/CVE-2022-29583
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29583
Similar kardianos service upgrade issue: #27757 (closed)
Steps to reproduce
grype gitlab/gitlab-runner --scope all-layers -o json > runner-grype.json
cat runner-grype.json | grep 29583 || echo -e "\nCVE-2022-29583 NOT PRESENT\n"
Actual behavior
Customers running scans on GitLab Runner received reports of a vulnerability on the kardianos service package.
Expected behavior
The vulnerability should not be present after upgrading to kardianos service v1.2.2: require github.com/kardianos/service v1.2.2
Relevant logs and/or screenshots
Grype results
{
"vulnerability": {
"id": "GHSA-xm99-6pv5-q363",
"dataSource": "https://github.com/advisories/GHSA-xm99-6pv5-q363",
"namespace": "github:language:go",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-xm99-6pv5-q363"
],
"description": "OS Command injection in github.com/kardianos/service",
"cvss": [],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": []
},
"relatedVulnerabilities": [
{
"id": "CVE-2022-29583",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29583",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/kardianos/service/pull/290"
],
"description": "service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory.",
"cvss": [
{
"version": "2.0",
"vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"metrics": {
"baseScore": 4.6,
"exploitabilityScore": 3.9,
"impactScore": 6.4
},
"vendorMetadata": {}
},
{
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"metrics": {
"baseScore": 7.8,
"exploitabilityScore": 1.8,
"impactScore": 5.9
},
"vendorMetadata": {}
}
]
}
Environment description
config.toml contents
Add your configuration here
Used GitLab Runner version
# gitlab-runner version
Runtime platform arch=amd64 os=linux pid=9 revision=d540b510 version=15.9.1
Possible fixes
Upgrade kardianos service version to v1.2.2
Edited by Christopher Mutua