Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CVE-2025-0665 #35781

Open
shiftie opened this issue Apr 3, 2025 · 7 comments
Open

[BUG] CVE-2025-0665 #35781

shiftie opened this issue Apr 3, 2025 · 7 comments
Labels
team/agent-security team/triage

Comments

@shiftie
Copy link

shiftie commented Apr 3, 2025
edited
Loading

Agent Environment
latest tagged Docker image (sha256:766d72655ef255954c9e738aca2023e64e9cf823fee4fb2e79ff3617f0372b03 atm)

Describe what happened:
critical level vulnerability detected on CURL binary in the image:

_File /opt/datadog-agent/embedded/bin/curl version 8.11.1 is vulnerable to CVE-2025-0665, which exists in versions >= 8.11.1, < 8.12.0.

The vulnerability was found in the [VulnCheck NVD++ Database](https://vulncheck.com/browse/cve/CVE-2025-0665) based on the CPE cpe:2.3:a:haxx:curl and the reporting CNA has assigned it severity: Critical.

The file is associated with the technology cURL.

The vulnerability can be remediated by updating cURL to 8.12.0 or higher.

Describe what you expected:
CURL patched to remove the vulnerability.
Maybe here?

Steps to reproduce the issue:
Scan latest image.

Additional environment details (Operating System, Cloud provider, etc):
Not applicable.
@B-Mahdj
Copy link

B-Mahdj commented Apr 3, 2025

Hi @shiftie
What tool do you use to scan the image. I'm using Trivy on my side and don't see any critical issues.

@shiftie
Copy link
Author

shiftie commented Apr 3, 2025

Hi B-Mahdj!

We scanned using Wiz.

@B-Mahdj
Copy link

B-Mahdj commented Apr 3, 2025
edited
Loading

Can you re-run the scan but this time on the latest-full image (https://hub.docker.com/layers/datadog/agent/latest-full/images/sha256-fbd1bea6598316367591f8a1ac65242afddec4225e945b43182ea0a8869d68a0) please @shiftie ?

I'm trying to see if the vulnerability is on a specific image.

@shiftie
Copy link
Author

shiftie commented Apr 3, 2025
edited
Loading

i'm sorry i can't scan arbitrary images, we're scanning images in use only (latest tag only) :/

but essentially if you can check curl version in your container, it should be 8.12.0 or higher to fix the vuln.

@B-Mahdj
Copy link

B-Mahdj commented Apr 3, 2025

What is strange is that there is a full-upgrade later on the Dockerfile that shouldn't allow curl to be outdated

datadog-agent/Dockerfiles/agent/Dockerfile

Line 121 in 6b94a52

RUN apt full-upgrade -y \

And when installing curl, there is no specific version that are required

datadog-agent/Dockerfiles/agent/Dockerfile

Line 54 in 6b94a52

RUN apt install --no-install-recommends -y curl ca-certificates maven xz-utils

My guess would be that maybe the repository from which curl is installed has not been updated yet ?

@B-Mahdj
Copy link

B-Mahdj commented Apr 3, 2025

Update : I tried to update the curl package inside of the container and the version downloaded was still 8.11 I think there is a repository issue / still not updated.

@jonathan-hafner
Copy link
Contributor

Hi @shiftie, Datadog has reviewed CVE-2025-0665 and agrees with the Low severity rating that have been given by Curl.se and Ubuntu for this vulnerability. Within the context of the Datadog Agent standard configuration, it does not accept inbound network connections that would warrant a higher risk for this issue. Datadog will however be bumping the curl version included in the Agent v7.65 release, which is expected in the next couple weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
team/agent-security team/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shiftie @B-Mahdj @jonathan-hafner