Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/lightningnetwork/lnd: CVE-2022-39389 #1115

Closed
GoVulnBot opened this issue Nov 17, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/lightningnetwork/lnd: CVE-2022-39389 #1115

GoVulnBot opened this issue Nov 17, 2022 · 3 comments
Assignees
@julieqiu
Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.

Comments

@GoVulnBot
Copy link

CVE-2022-39389 references github.com/lightningnetwork/lnd, which may be a Go module.

Description:
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version v0.15.4 are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in lnd version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the lncli updatechanpolicy RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/lightningnetwork/lnd
    packages:
      - package: lnd
description: |
    Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.
cves:
  - CVE-2022-39389
references:
  - fix: https://github.com/lightningnetwork/lnd/security/advisories/GHSA-hc82-w9v8-83pr
  - web: https://github.com/lightningnetwork/lnd/issues/7096
  - fix: https://github.com/lightningnetwork/lnd/pull/7098
  - web: https://github.com/lightningnetwork/lnd/releases/tag/v0.15.4-beta
@jba jba self-assigned this Nov 22, 2022
@jba jba added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. NeedsReport and removed excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. labels Nov 22, 2022
@jba
Copy link
Contributor

jba commented Nov 22, 2022

The package is importable, and has importers.
@julieqiu

@jba jba assigned julieqiu and unassigned jba Nov 22, 2022
@julieqiu julieqiu added excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. and removed NeedsReport labels Nov 30, 2022
@julieqiu
Copy link
Member

This is a dependent vulnerability of GHSA-2chg-86hq-7w38, same as #1098

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455157 mentions this issue: data/excluded: batch add GO-2022-1115, GO-2022-1132

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julieqiu julieqiu

Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@julieqiu @gopherbot @jba @GoVulnBot