Running with gitlab-runner 13.8.0 (775dd39d)  on dsop-shared-gitlab-runner-f887cbcbd-srgz6 E82_g8RG section_start:1629732726:resolve_secrets Resolving secrets section_end:1629732726:resolve_secrets section_start:1629732726:prepare_executor Preparing the "kubernetes" executor "ServiceAccount" overwritten with "vat" Using Kubernetes namespace: gitlab-runner-ironbank-dsop WARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom Using Kubernetes executor with image registry1.dso.mil/ironbank/ironbank-pipelines/pipeline-runner:0.3 ... section_end:1629732726:prepare_executor section_start:1629732726:prepare_script Preparing environment Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-7112-concurrent-0kq9pd to be running, status is Pending Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-7112-concurrent-0kq9pd to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Running on runner-e82g8rg-project-7112-concurrent-0kq9pd via dsop-shared-gitlab-runner-f887cbcbd-srgz6... section_end:1629732733:prepare_script section_start:1629732733:get_sources Getting source from Git repository $ until [ $(curl --fail --silent --output /dev/stderr --write-out "%{http_code}" localhost:15020/healthz/ready) -eq 200 ]; do echo Waiting for Sidecar; sleep 3 ; done ; echo Sidecar available; Sidecar available Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/dsop/splunk/splunk/splunk/.git/ Created fresh repository. Checking out 34d1ece1 as development... Skipping object checkout, Git LFS is not installed. Skipping Git submodules setup section_end:1629732733:get_sources section_start:1629732733:download_artifacts Downloading artifacts Downloading artifacts for anchore-scan (5880360)... Downloading artifacts from coordinator... ok  id=5880360 responseStatus=200 OK token=EZy8Nrx1 WARNING: ci-artifacts/scan-results/anchore/: lchown ci-artifacts/scan-results/anchore/: operation not permitted (suppressing repeats) Downloading artifacts for build (5880358)... Downloading artifacts from coordinator... ok  id=5880358 responseStatus=200 OK token=bypc46en WARNING: ci-artifacts/build/: lchown ci-artifacts/build/: operation not permitted (suppressing repeats) Downloading artifacts for hardening-manifest (5880354)... Downloading artifacts from coordinator... ok  id=5880354 responseStatus=200 OK token=UYyc8pcY WARNING: ci-artifacts/preflight/: lchown ci-artifacts/preflight/: operation not permitted (suppressing repeats) Downloading artifacts for load-scripts (5881209)... Downloading artifacts from coordinator... ok  id=5881209 responseStatus=200 OK token=WHFb7mJX WARNING: ci-artifacts/[MASKED]/: lchown ci-artifacts/[MASKED]/: operation not permitted (suppressing repeats) Downloading artifacts for openscap-compliance (5880361)... Downloading artifacts from coordinator... ok  id=5880361 responseStatus=200 OK token=TQEwK6dL WARNING: ci-artifacts/scan-results/openscap/: lchown ci-artifacts/scan-results/openscap/: operation not permitted (suppressing repeats) Downloading artifacts for twistlock-scan (5880362)... Downloading artifacts from coordinator... ok  id=5880362 responseStatus=200 OK token=FyaLNUdf WARNING: ci-artifacts/scan-results/twistlock/: lchown ci-artifacts/scan-results/twistlock/: operation not permitted (suppressing repeats) Downloading artifacts for wl-compare-lint (5880355)... Downloading artifacts from coordinator... ok  id=5880355 responseStatus=200 OK token=HSb8jnce WARNING: ci-artifacts/lint/: lchown ci-artifacts/lint/: operation not permitted (suppressing repeats) section_end:1629732734:download_artifacts section_start:1629732734:step_script Executing "step_script" stage of the job script $ "${PIPELINE_REPO_DIR}/stages/vat/vat-run-api.sh" INFO: Log level set to info INFO: Gathering list of all justifications... INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: API Response: {"imageName":"splunk/splunk/splunk","imageTag":"8.2.2","accreditation":"Onboarding","containerState":"Under Review","findings":[{"identifier":"06bd5f4c86fdb79c86ccdf94101fb25a","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python3.7/site-packages/future/backports/test/keycert2.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"0d87b25bc2bd4692dfea771d88f20876","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/keycert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"320a97c6816565eedf3545833df99dd0","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/su. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"3456a263793066e9b5063ada6e47917d","source":"anchore_comp","description":"SUID or SGID found set on file /usr/libexec/dbus-1/dbus-daemon-launch-helper. Mode: 0o104750\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"34de21e516c0ca50a96e5386f163f8bf","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/unix_chkpwd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"36f0e3e83c35dd4fc366e671de9ee838","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/future/backports/test/badkey.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"38c6e5b8b0b9545316de6b3171393d25","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python2.7/site-packages/future/backports/test/badkey.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"3e5fad1c039f3ecfd1dcdc94d2f1f9a0","source":"anchore_comp","description":"SUID or SGID found set on file /usr/libexec/utempter/utempter. Mode: 0o102711\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"499f2b3f583dc1d245c309358dea584e","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python2.7/site-packages/future/backports/test/keycert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"4c5f4e23c7b437d292df7847c13ea77c","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python2.7/site-packages/future/backports/test/badcert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"5424caa5b4306bdf500db079ae412547","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python2.7/site-packages/future/backports/test/keycert.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"698044205a9c4a6d48b7937e66a6bf4f","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/mount. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"72a8175d662e924cceb93d51b48d33a6","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/ping. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"73b778d0cfbc9f69d528fdb8271719f0","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/badkey.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"7587e594904e5df3f149c46296e14e5e","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/keycert.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"7d73f54ebb8dae36857e819d1367fa5e","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python3.7/site-packages/future/backports/test/ssl_key.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"820d9a9ffba7a854ab270255811ab417","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python2.7/site-packages/future/backports/test/ssl_key.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"821dd6ce983fa10cf015a642f4aa158c","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/future/backports/test/keycert2.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"87980386b6778ca764087564216a0ceb","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/future/backports/test/badcert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"921880d2624d6cc6239878e814369964","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python3.7/site-packages/future/backports/test/keycert.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"953dfbea1b1e9d5829fbed2e390bd3af","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/sudo. Mode: 0o104111\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"972b43fd60eac7354126c164b801ac96","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/auth/ca.pem.default regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"a3089da3913677491df52d6f7b92f61d","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/future/backports/test/keycert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"a4a4026cc9f81fd08f547af28c3df13a","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/future/backports/test/keycert.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"aaf2f6e9b8118d1262d01e24ccc3d859","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/usr/lib/python3.7/site-packages/ansible_collections/infinidat/infinibox/Makefile regexp=API_KEY=(?i).*api(-|_)key( *=+ *).*(?sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-23840","source":"anchore_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-02T13:10:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-02T13:15:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-02T13:30:40.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23841","source":"anchore_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-02T13:10:16.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-02T13:15:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-02T13:30:40.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-25214","source":"anchore_cve","description":"In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.","package":"bind-libs-9.11.26-4.el8_4","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-25214","source":"anchore_cve","description":"In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.","package":"bind-libs-lite-9.11.26-4.el8_4","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-25214","source":"anchore_cve","description":"In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.","package":"bind-license-9.11.26-4.el8_4","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-25214","source":"anchore_cve","description":"In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.","package":"bind-utils-9.11.26-4.el8_4","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-25214","source":"anchore_cve","description":"In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.","package":"python3-bind-9.11.26-4.el8_4","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:33:40.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:33:40.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-headers-2.28-151.el8","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-langpack-en-2.28-151.el8","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:33:40.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"anchore_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-11T21:21:04.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-11T21:36:28.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T21:45:48.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"twistlock_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-11T21:21:04.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-11T21:36:28.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T21:45:48.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28950","source":"anchore_cve","description":"An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A \"stall on CPU\" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-28957","source":"twistlock_cve","description":"An XSS vulnerability was discovered in python-lxml\\'s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.","package":"lxml-4.4.0","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-03T19:56:08.000Z","justification":"We plan to upgrade in either version 8.2.2 or 8.2.3","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-28971","source":"anchore_cve","description":"In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-28972","source":"anchore_cve","description":"In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination, aka CID-cc7a0bb058b8.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-29154","source":"anchore_cve","description":"BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-29155","source":"anchore_cve","description":"An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-29646","source":"anchore_cve","description":"An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-29650","source":"anchore_cve","description":"An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-30002","source":"anchore_cve","description":"An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-31440","source":"anchore_cve","description":"This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3178","source":"anchore_cve","description":"** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-31829","source":"anchore_cve","description":"kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-31916","source":"anchore_cve","description":"An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3200","source":"anchore_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T21:33:08.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T21:33:22.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T21:34:15.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"twistlock_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T21:33:08.000Z","justification":"Reported on 02/18/2021. Upstream patch on 02/24/2021. RH has not patched.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T21:33:22.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T21:34:15.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33033","source":"anchore_cve","description":"The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-33200","source":"anchore_cve","description":"kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3348","source":"anchore_cve","description":"nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-33503","source":"twistlock_cve","description":"An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.","package":"urllib3-1.25.9","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-04T14:44:03.000Z","justification":"The version of urllib3 included in the Python3 versions shipped by Splunk includes the patch for the issue.","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-33560","source":"anchore_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-16T14:30:56.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-16T14:31:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-16T14:32:29.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"twistlock_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-14T13:43:59.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-14T13:44:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-14T13:45:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:13:06.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:13:27.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:59.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"twistlock_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T21:33:08.000Z","justification":"Reported on 02/18/2021. Upstream patch on 02/24/2021. RH has not patched.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T21:33:22.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T21:34:15.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:13:06.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:13:27.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:59.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-headers-2.28-151.el8","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-langpack-en-2.28-151.el8","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:13:06.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:13:27.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:59.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33624","source":"anchore_cve","description":"In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-01T21:41:30.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T14:13:30.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T14:14:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"twistlock_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-01T21:41:30.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T14:13:30.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T14:14:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-01T21:41:30.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T14:13:30.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T14:14:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:33:40.000Z","justification":"No upstream fix is available.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:33:40.000Z","justification":"No upstream fix is available.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3428","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3444","source":"anchore_cve","description":"The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (\"bpf: Fix truncation handling for mod32 dst reg wrt zero\") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:33:41.000Z","justification":"Reported 2/23/2021. Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"twistlock_cve","description":"A flaw was found in libdnf\\'s signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T17:39:10.000Z","justification":"Reported 2/23/2021. Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-20T17:39:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T17:41:44.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-34556","source":"anchore_cve","description":"In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-34693","source":"anchore_cve","description":"net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3489","source":"anchore_cve","description":"The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (\"bpf, ringbuf: Deny reserve of buffers larger than ringbuf\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (\"bpf: Implement BPF ring buffer and verifier support for it\") (v5.8-rc1).","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3490","source":"anchore_cve","description":"The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (\"bpf: Fix alu32 const subreg bound tracking on bitwise operations\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (\"bpf:Fix a verifier failure with xor\") ( 5.10-rc1).","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3542","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-35477","source":"anchore_cve","description":"In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-35515","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"CVE-2021-35515","source":"twistlock_cve","description":"When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress\\' sevenz package.","package":"org.apache.commons_commons-compress-1.19","findingsState":"needs_justification"},{"identifier":"CVE-2021-35516","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"CVE-2021-35516","source":"twistlock_cve","description":"When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\\' sevenz package.","package":"org.apache.commons_commons-compress-1.19","findingsState":"needs_justification"},{"identifier":"CVE-2021-35517","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"CVE-2021-35517","source":"twistlock_cve","description":"When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\\' tar package.","package":"org.apache.commons_commons-compress-1.19","findingsState":"needs_justification"},{"identifier":"CVE-2021-3564","source":"anchore_cve","description":"A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"platform-python-pip-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:25:37.000Z","justification":"Upstream patched in version 21.1. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:26:02.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:26:49.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"python3-pip-wheel-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:25:37.000Z","justification":"Upstream patched in version 21.1. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:26:02.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:26:49.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3573","source":"anchore_cve","description":"A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3580","source":"anchore_cve","description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-08T18:34:22.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-08T18:34:48.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-08T18:35:22.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"twistlock_cve","description":"A flaw was found in the way nettle\\'s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T04:02:47.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T14:51:41.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T14:55:53.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:39:21.000Z","justification":"Upstream is working on a patch and is undergoing testing. No official release containing this patch has been published as of yet.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T19:53:05.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T19:53:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:39:21.000Z","justification":"Upstream is working on a patch and is undergoing testing. No official release containing this patch has been published as of yet.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T19:53:05.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T19:53:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:39:21.000Z","justification":"No upstream patch available.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T19:53:05.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T19:53:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:39:22.000Z","justification":"No upstream patch available.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T19:53:05.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T19:53:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:39:21.000Z","justification":"No upstream patch available.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T19:53:05.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T19:53:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:39:22.000Z","justification":"No upstream patch available.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-02T19:53:05.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T19:53:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T19:00:12.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T19:00:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T19:01:03.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"twistlock_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-23T18:41:15.000Z","justification":"Upstream patched in version 2.34 which is scheduled to be released on 8/1/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-23T18:43:00.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-23T18:43:34.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T19:00:12.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T19:00:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T19:01:03.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-headers-2.28-151.el8","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-09T16:58:03.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-langpack-en-2.28-151.el8","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-09T16:58:03.000Z","justification":"There is currently no fix for this vulnerability. Package is required for proper compiling of Splunk components and binaries. When a fix becomes available, we will review integrating the fix into a future release","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T19:00:12.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T19:00:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T19:01:03.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3600","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-36084","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T17:17:16.000Z","justification":"No patch available upstream.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-21T17:58:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T18:02:55.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T19:52:44.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T19:54:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T19:58:56.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T17:17:16.000Z","justification":"No patch available upstream.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-21T17:58:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T18:02:55.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T19:52:44.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T19:54:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T19:58:56.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T17:17:16.000Z","justification":"No patch available upstream.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-21T17:58:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T18:02:55.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T19:52:44.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T19:54:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T19:58:56.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T17:17:16.000Z","justification":"No patch available upstream.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-21T17:58:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T18:02:55.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T19:52:44.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T19:54:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T19:58:56.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36090","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"CVE-2021-36090","source":"twistlock_cve","description":"When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\\' zip package.","package":"org.apache.commons_commons-compress-1.19","findingsState":"needs_justification"},{"identifier":"CVE-2021-3612","source":"anchore_cve","description":"An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-36222","source":"anchore_cve","description":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-20T17:01:15.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-20T17:12:18.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-20T17:12:41.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36222","source":"anchore_cve","description":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","package":"libkadm5-1.18.2-8.el8","findingsState":"needs_justification"},{"identifier":"CVE-2021-3635","source":"anchore_cve","description":"A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3640","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3653","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3655","source":"anchore_cve","description":"A vulnerability was found in the Linux kernel in versions before v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3656","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3659","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3669","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3679","source":"anchore_cve","description":"A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-37159","source":"anchore_cve","description":"hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-3732","source":"anchore_cve","description":"none","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-37576","source":"anchore_cve","description":"arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-38160","source":"anchore_cve","description":"In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-38166","source":"anchore_cve","description":"In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-38198","source":"anchore_cve","description":"arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-38199","source":"anchore_cve","description":"fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-38201","source":"anchore_cve","description":"net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"CVE-2021-38206","source":"anchore_cve","description":"The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.","package":"kernel-headers-4.18.0-305.12.1.el8_4","findingsState":"needs_justification"},{"identifier":"d26385d0d1986814b072edee4ec870b4","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python3.7/site-packages/future/backports/test/badcert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"e7573262736ef52353cde3bae2617782","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/umount. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Necessary for system functions and calls to work properly","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"eb05fae1ec71ff21793ab378816edb50","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python3.7/site-packages/future/backports/test/badkey.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"eba25c08fbd186d56fd24bc56375cd21","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/badcert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"f45bd0b695f34f7b631be6fdf4a2023f","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/ssl_key.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"f545947dac3616a81e2389e7d740ca75","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/keycert2.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"f547353ccc20663738da6f7aeeb85e64","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk/lib/python2.7/site-packages/future/backports/test/ssl_key.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"fc9f4a3668e3a9d76e7624bfeea51c1b","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/future/backports/test/ssl_key.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"ffddef7046ef467239a0c7da13b9b077","source":"anchore_comp","description":"Secret content search analyzer found regexp match in container: file=/opt/splunk-etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/future/backports/test/ssl_key.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+\n Gate: secret_scans\n Trigger: content_regex_checks\n Policy ID: DoDFileChecks","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":" Splunk Enterprise uses these certificates for testing during install, an update, or a configuration change. Splunk does not use those secrets during the application's regular operation, and those secrets are not exploitable. ","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-5mg8-w23w-74h3","source":"anchore_cve","description":"none","package":"guava-27.0-jre","packagePath":"/opt/splunk/bin/jars/vendors/libs/guava-27.0-jre.jar","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"Updating to Guava 30.0 does not fix this security vulnerability. The method is merely deprecated. There currently exits no fix for this vulnerability. For more information, see https://github.com/google/guava/issues/4011","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-7hfm-57qf-j43q","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"GHSA-7r82-7xv7-xcpj","source":"anchore_cve","description":"none","package":"httpclient-4.5.9","packagePath":"/opt/splunk/bin/jars/thirdparty/aws/httpclient-4.5.9.jar","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-03T19:53:25.000Z","justification":"We plan to upgrade in a future release in 2022.","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-crv7-7245-f45f","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"GHSA-jq4v-f5q6-mjqq","source":"anchore_cve","description":"none","package":"lxml-4.4.0","packagePath":"/opt/splunk/lib/python2.7/site-packages/lxml","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-03T19:56:08.000Z","justification":"We plan to upgrade in either version 8.2.2 or 8.2.3","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-jq4v-f5q6-mjqq","source":"anchore_cve","description":"none","package":"lxml-4.4.0","packagePath":"/opt/splunk/lib/python3.7/site-packages/lxml","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-03T19:56:08.000Z","justification":"We plan to upgrade in either version 8.2.2 or 8.2.3","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-mc84-pj99-q6hh","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"GHSA-pgww-xf46-h92r","source":"anchore_cve","description":"none","package":"lxml-4.4.0","packagePath":"/opt/splunk/lib/python2.7/site-packages/lxml","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-03T19:56:08.000Z","justification":"We plan to upgrade in either version 8.2.2 or 8.2.3","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-pgww-xf46-h92r","source":"anchore_cve","description":"none","package":"lxml-4.4.0","packagePath":"/opt/splunk/lib/python3.7/site-packages/lxml","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-08-03T19:56:08.000Z","justification":"We plan to upgrade in either version 8.2.2 or 8.2.3","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-q2q7-5pp4-w6pg","source":"anchore_cve","description":"none","package":"urllib3-1.25.9","packagePath":"/opt/splunk/lib/python2.7/site-packages/urllib3","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"The version of urllib3 included in the Python3 versions shipped by Splunk includes the patch for the issue.","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-q2q7-5pp4-w6pg","source":"anchore_cve","description":"none","package":"urllib3-1.25.9","packagePath":"/opt/splunk/lib/python3.7/site-packages/urllib3","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"The version of urllib3 included in the Python3 versions shipped by Splunk includes the patch for the issue.","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}},{"identifier":"GHSA-xqfj-vm6h-2x34","source":"anchore_cve","description":"none","package":"commons-compress-1.19","packagePath":"/opt/splunk/bin/jars/thirdparty/common/commons-compress-1.19.jar","findingsState":"needs_justification"},{"identifier":"VULNDB-229216","source":"anchore_cve","description":"pip PyPI (Python Packaging Index) contains a flaw that is triggered as sensitive information in URLs is insecurely logged. This may allow a local attacker to potentially gain access to cleartext credentials.","package":"pip-19.2.3","packagePath":"/opt/splunk/lib/python2.7/site-packages/pip","findingsState":"needs_review","contributor":{"state":"needs_review","date":"2021-07-08T20:06:18.000Z","justification":"The versions of pip included in the version of Python shipped with Splunk includes the fix for the CVE","user":{"name":"bpluta","email":"bpluta@splunk.com","role":"vendor_contributor"}}}],"digest":"fce5239d39f1e89e48ee81774fa5362ed938fabda5ece245fabe1fc3eff6b8bc"} INFO: POST Response: 201 section_end:1629732759:step_script section_start:1629732759:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... ci-artifacts/vat_request.json: found 1 matching files and directories Uploading artifacts as "archive" to coordinator... ok id=5880368 responseStatus=201 Created token=UxkLeq-9 section_end:1629732760:upload_artifacts_on_success section_start:1629732760:cleanup_file_variables Cleaning up file based variables section_end:1629732760:cleanup_file_variables Job succeeded