CVE-2023-0464, CVE-2023-2975, CVE-2023-3446, CVE-2023-3817, CVE-2023-4807, CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727 is still showing up in Wiz Security Scan findings when installing the latest DataDog Agent version

[lesterianespiritu]

Hi, we made a deployment pipeline that installs (or upgrades) the latest DataDog Agent in our Azure Virtual Machines via chocolatey. Unfortunately, using the latest version still uses OpenSSL (or libssl) which is getting flagged as Medium to High vulnerability severity with the mentioned description below:

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2024-0727, which exists in versions >= 3.0.0 && < 3.0.13.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2024-0727, which exists in versions >= 3.0.0 && < 3.0.13.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-4807, which exists in versions >= 3.0.0 && < 3.0.11.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: High.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-3817, which exists in versions >= 3.0.0 && < 3.0.10.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-3446, which exists in versions >= 3.0.0 && < 3.0.10.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-0464, which exists in versions >= 3.0.0 && < 3.0.9.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: High.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-6129, which exists in versions >= 3.0.0 && < 3.0.12.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-5363, which exists in versions >= 3.0.0 && < 3.0.12.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: High.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-6237, which exists in versions >= 3.0.0 && < 3.0.13.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: None.

The product OpenSSL file \Program Files\Datadog\Datadog Agent\embedded3\Lib\site-packages\confluent_kafka.libs\libssl-3-x64-3fc641c31e8d3843855c06ffd77fb36a.dll version 3.0.8.0 on a machine running Windows Server 2019 is vulnerable to CVE-2023-2975, which exists in versions >= 3.0.0 && < 3.0.10.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

Do we have a fix for this?

Thanks!

NOTE: This issue tracker is primarily used to track bugs in the Agent codebase to completion. For issues directly related to your use of the agent, we have a dedicated team who can investigate your reports directly. Please contact Datadog support and and send them a flare demonstrating the issue.

[mdnorman]

There's also CVE-2024-36129 in go.opentelemetry.io/collector/config/confighttp layer

[jenle-chime]

Bumping, any update on this?