Proxmox VE - CVE reports - Security issues ?

Aug 19, 2020
5
5
23
49
Montreal Canada
Hello !

My SOC reported an issue on my newly installed v8 (in place upgrade)

The SOC client (Covalence by Field Effet) was installed yesterday, just before 7to8 upgrade

shellcheck v. 0.9.0-1 is installed on this host. CVE-2021-28794 - 9.8/10
The unofficial ShellCheck extension before 0.13.4 for Visual Studio Code mishandles shellcheck.executablePath.


bsd-mailx v. 8.1.2-0.20220412cvs-1 is installed on this host. CVE-2014-7844 - 7.8/10
BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address.


some info on reported host

Code:
root@pve8:~# pveversion
pve-manager/8.0.3/bbf3993334bfa916 (running kernel: 6.2.16-4-pve)


root@pve8:~# dpkg -l | grep bsd-mail
ii  bsd-mailx                            8.1.2-0.20220412cvs-1          amd64        simple mail user agent

root@pve8:~# dpkg -l | grep shellcheck
ii  shellcheck                           0.9.0-1                        amd64        lint tool for shell scripts


Insights ? Are these installed by Proxmox by default ? Should I worry of mitigate any issues ?
 
These look like false positives by the vulnerability scanner - for bsd-mailx see the debian projects page on the CVE:
https://security-tracker.debian.org/tracker/CVE-2014-7844/
(fixed in bookworm)

for the shellcheck issue - unless I misread the tag-line this affects 'Visual Studio Code', which is an IDE/Editor by microsoft - or more specifically an unofficial extension for that IDE, that then can call shellcheck - a small utility to lint POSIX (and other) shell code
https://github.com/vscode-shellcheck/vscode-shellcheck - the affected unofficial extension
https://github.com/koalaman/shellcheck - https://www.shellcheck.net/ - the shell linter

OTOH both packages are not hard dependencies of Proxmox VE ... you can of course just uninstall them with apt (but as said - based on the reports - I doubt that this is anything but a false-positive of the vulnerability scanner)

I hope this helps!