SNOW-1333232 High Severity DoS CVE in introduced - github.com/hambra/avro #1101
Comments
sfc-gh-dszmolka
added
the
status-triage_done
|
hi and thank you for drawing attention to this issue and also for the PR ! can we please wait for Arrow v16 to be available? also the linked Snyk issue leads to CVE-2023-37475, which per NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2023-37475 is fixed in github.com/hambra/avro 2.13.0 and up. Apache Arrow v15 depends on hamba/avro v.2.17.2 which per the above NVD is not vulnerable. Is this the right CVE number ? |
sfc-gh-dszmolka
added
status-information_needed
|
@sfc-gh-dszmolka We can wait if you're more comfortable with an official release This commit fixed the DoS which was released in hamba/avro v2.19.0. From Snyk |
|
Good catch though; I brought this up with the Snyk team as a potential false positive. Will report back here |
|
Thanks for the additional details, indeed Arrow seems to have bumped the hamba/avro to past 2.19 (2.20.1) in the latest (yet unreleased) code. Of course the team will review your PR but from what I saw we usually prefer depending on official released code. Good to have this on the table though, so really appreciate ! |
sfc-gh-dszmolka
removed
the
status-information_needed
sfc-gh-dszmolka
changed the title
sfc-gh-dszmolka
changed the title
|
@ChronosMasterOfAllTime Arrow v16 looks to be released now, can you please modify your PR to have the official released v16.0.0 ? |
|
thank you for modifying it to v16; let's await for the PR review. |
sfc-gh-dszmolka
added
the
status-pr_pending_merge
|
A quick update: we cannot just simply merge the PR. Reason being (as you might have noticed from the tests) , all tests are for this PR failing for go1.19 as Arrow v16 would need go1.20 at least. Until Snowflake drops support for go1.19, we cannot merge this PR or else it would break the driver for everyone on go1.19 currently. Likely we would also require a new major version released from the driver. So we must take appropriate care. This is to set expectations why this 'simple' Arrow version bump won't be very very quickly merged. Also on the side note, the question is still open: can you perhaps please advise what is the actual 'High Severity DoS CVE' / vulnerability which is there in Arrow v15.0.2 and supposed to be addressed in Arrow v16 ? It is likely not the one linked to this issue originally:
because it is addressed in avro 2.13 and arrow v15 on which we are already depends on avro 2.17 which is not vulnerable to this CVE. |
sfc-gh-dszmolka
added
the
status-blocked
|
We reached out to Snyk support on this as well. Turns out the DB was never updated for this entry. We can table this for now. |
|
Thank you for following up with Snyk and the feedback - as there's no vulnerability, closing the issue for now. The bump to Arrow v16 will still happen though, eventually. |
sfc-gh-dszmolka
added
invalid
and removed
status-pr_pending_merge
Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!
What version of GO driver are you using? 1.9
What operating system and processor architecture are you using? MacOS x86_64
What version of GO are you using? 1.22
run
go versionin your console4.Server version: N/A
Upgraded to v1.9 of the Snowflake driver. Apache Arrow v15.0.0 is using a version of the
github.com/hambra/avrothat introduces a DoS exploit. This is fixed in the latest version of Apache ArrowSee Snyk issue
Fixed in v16.0.0 of Apache Arrow go.mod
What did you expect to see?
No High CVE exploits
Can you set logging to DEBUG and collect the logs?
https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors
What is your Snowflake account identifier, if any? databots
The text was updated successfully, but these errors were encountered: