Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the Cadence release v1.2.8 #5913

Open
sonpham96 opened this issue Apr 17, 2024 · 1 comment
Open

Addressing a lot of security vulnerabilities in the Cadence release v1.2.8 #5913

sonpham96 opened this issue Apr 17, 2024 · 1 comment

Comments

@sonpham96
Copy link
Contributor

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

  • Server version: v1.2.8

Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.8

To Reproduce
Is the issue reproducible?

  • Yes

Steps to reproduce the behavior:

  • Pull the latest image ubercadence/server:v1.2.8 from Dockerhub
  • Scan the image with any vulnerability scanner

Expected behavior
A clear and concise description of what you expected to happen.

Scan results for: image ubercadence/server:v1.2.8 sha256:2cb358a5152e7c4d1ac57f214450c90de2834fd1df576c909f7f0350089891ca
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |      STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397    | high     | 8.80 | github.com/apache/thrift                          | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0   | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                  |          |      |                                                   |                                    | > 8 months ago    |            |            | potential during code generation for command       |
|                  |          |      |                                                   |                                    |                   |            |            | injection due to using an external formatting      |
|                  |          |      |                                                   |                                    |                   |            |            | tool. Affec...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0   | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                                   |                                    | > 4 years ago     |            |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                                   |                                    |                   |            |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                                   |                                    |                   |            |            | invalid input data.                                |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0190    | high     | 7.50 | openssl                                           | 3.1.4-r5                           |                   | > 5 years  | < 1 hour   | A bug exists in the way mod_ssl handled client     |
|                  |          |      |                                                   |                                    |                   |            |            | renegotiations. A remote attacker could send a     |
|                  |          |      |                                                   |                                    |                   |            |            | carefully crafted request that would cause mod_ssl |
|                  |          |      |                                                   |                                    |                   |            |            | to en...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                        | v1.9.0                             | fixed in v1.9.3   | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                   |                                    | > 1 years ago     |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                   |                                    |                   |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                   |                                    |                   |            |            | without new...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                   | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                   |                                    |                   |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                   |                                    |                   |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                   |                                    |                   |            |            | (deflate.c)...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    |                   |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    |                   |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                   |            |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    |                   |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                   |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                   |            |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    |                   |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                   |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0   | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | 42 days ago       |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                   |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                   |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0   | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | 42 days ago       |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                   |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                   |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0   | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                   |                                    | 12 days ago       |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                   |                                    |                   |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                   |                                    |                   |            |            | Maintaining H...                                   |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.4-r6 | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                   |                                    | 7 days ago        |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                   |                                    |                   |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                   |                                    |                   |            |            | An attac...                                        |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.8: total - 13, critical - 0, high - 3, medium - 9, low - 1
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.8: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS

Screenshots
Scan results:
image

Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
@sonpham96
Copy link
Contributor Author

There are still a lot of security vulnerabilities in Cadence v1.2.9 release. Scan results:

Scan results for: image ubercadence/server:v1.2.9 sha256:91d5b52428fe2cc5bc18e940c0b73f6a758fa38790c1b62a7f7499d41084e716
Vulnerabilities
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |       STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397  | high     | 8.80 | github.com/apache/thrift                          | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0    | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                |          |      |                                                   |                                    | > 9 months ago     |            |            | potential during code generation for command       |
|                |          |      |                                                   |                                    |                    |            |            | injection due to using an external formatting      |
|                |          |      |                                                   |                                    |                    |            |            | tool. Affec...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210  | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0    | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                |          |      |                                                   |                                    | > 4 years ago      |            |            | implemented in Go using TJSONProtocol or           |
|                |          |      |                                                   |                                    |                    |            |            | TSimpleJSONProtocol may panic when feed with       |
|                |          |      |                                                   |                                    |                    |            |            | invalid input data.                                |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992  | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                    | > 4 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                |          |      |                                                   |                                    |                    |            |            | to be vulnerable to memory corruption issues       |
|                |          |      |                                                   |                                    |                    |            |            | affecting the deflation algorithm implementation   |
|                |          |      |                                                   |                                    |                    |            |            | (deflate.c)...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r6 | > 5 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                |          |      |                                                   |                                    | 1 days ago         |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                |          |      |                                                   |                                    |                    |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                |          |      |                                                   |                                    |                    |            |            | awk.c copyvar function.                            |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                |          |      |                                                   |                                    |                    |            |            | allows attackers to cause a denial of service      |
|                |          |      |                                                   |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                |          |      |                                                   |                                    |                    |            |            | funct...                                           |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                |          |      |                                                   |                                    |                    |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0    | 75 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                |          |      |                                                   |                                    | 75 days ago        |            |            | infinite loop when unmarshaling certain forms      |
|                |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0    | 75 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                |          |      |                                                   |                                    | 75 days ago        |            |            | infinite loop when unmarshaling certain forms      |
|                |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0    | 45 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                |          |      |                                                   |                                    | 45 days ago        |            |            | read arbitrary amounts of header data by sending   |
|                |          |      |                                                   |                                    |                    |            |            | an excessive number of CONTINUATION frames.        |
|                |          |      |                                                   |                                    |                    |            |            | Maintaining H...                                   |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511  | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.4-r6  | 41 days    | < 1 hour   | Issue summary: Some non-default TLS server         |
|                |          |      |                                                   |                                    | 40 days ago        |            |            | configurations can cause unbounded memory growth   |
|                |          |      |                                                   |                                    |                    |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                |          |      |                                                   |                                    |                    |            |            | An attac...                                        |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.9: total - 12, critical - 0, high - 2, medium - 9, low - 1
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.9: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sonpham96