Been using Graylog for a while now via a Kubernetes stack. Love the software.
Internally we run a security scanner that identifies packages within containers that have security vulnerabilities. All the ones we review and report have fixes available. In the current iteration of Graylog 3.3.5 there are several java package related security vulnerabilities that probably should be addressed by updating the package. I verified their current versions in the pom.xml file. I looked through the forums but didn’t see any discussion about either one or how to go about reporting such things.
Is there a procedure that should be followed? I would be happy to share our report I just didn’t want to make it public at the start.
Can you be a little more specific since I don’t see any policies or procedures on this. I can happily post the report here but I wanted to make sure that was okay since it includes a possible authentication bypass vulnerability.
I believe its in this section what you need to do.
If you want to report a critical bug that could: allow someone to steal credentials, execute code or escalate privileges, please send a bug report to security@graylog.com before publishing it. This allows us to fix it, create a new version and allows other Graylog users to update before the information is out in the wild. After receiving the bug report, we will immediately get back to you to coordinate the required action.
