Proxmox VE - CVE reports - Security issues ?

Aug 19, 2020
5
5
8
49
Montreal Canada
Hello !

My SOC reported an issue on my newly installed v8 (in place upgrade)

The SOC client (Covalence by Field Effet) was installed yesterday, just before 7to8 upgrade

shellcheck v. 0.9.0-1 is installed on this host. CVE-2021-28794 - 9.8/10
The unofficial ShellCheck extension before 0.13.4 for Visual Studio Code mishandles shellcheck.executablePath.


bsd-mailx v. 8.1.2-0.20220412cvs-1 is installed on this host. CVE-2014-7844 - 7.8/10
BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address.


some info on reported host

Code:
root@pve8:~# pveversion
pve-manager/8.0.3/bbf3993334bfa916 (running kernel: 6.2.16-4-pve)


root@pve8:~# dpkg -l | grep bsd-mail
ii  bsd-mailx                            8.1.2-0.20220412cvs-1          amd64        simple mail user agent

root@pve8:~# dpkg -l | grep shellcheck
ii  shellcheck                           0.9.0-1                        amd64        lint tool for shell scripts


Insights ? Are these installed by Proxmox by default ? Should I worry of mitigate any issues ?
 
These look like false positives by the vulnerability scanner - for bsd-mailx see the debian projects page on the CVE:
https://security-tracker.debian.org/tracker/CVE-2014-7844/
(fixed in bookworm)

for the shellcheck issue - unless I misread the tag-line this affects 'Visual Studio Code', which is an IDE/Editor by microsoft - or more specifically an unofficial extension for that IDE, that then can call shellcheck - a small utility to lint POSIX (and other) shell code
https://github.com/vscode-shellcheck/vscode-shellcheck - the affected unofficial extension
https://github.com/koalaman/shellcheck - https://www.shellcheck.net/ - the shell linter

OTOH both packages are not hard dependencies of Proxmox VE ... you can of course just uninstall them with apt (but as said - based on the reports - I doubt that this is anything but a false-positive of the vulnerability scanner)

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!