Release an update to fix security vulnerabilities

Question

Release an update to fix security vulnerabilities

bhr opened this issue 2 years ago · 2 comments

bhr commented 2 years ago

Please answer these questions before submitting a bug report.

What version of OpenTelemetry are you using?

"@google-cloud/opentelemetry-cloud-trace-exporter@npm:^1.1.0"

What version of Node are you using?

v16.16.0

What did you do?

If possible, provide a recipe for reproducing the error.
The module lists google-auth-library: ^7.0.0 as a dependency, which links against node-forge: ^0.10.0 (through gtoken & google-p12-pem). This version exposes the following security vulnerability:

Improper Verification of Cryptographic Signature in node-forge

Impact
RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

Patches
The issue has been addressed in node-forge 1.3.0.

References
For more information, please see
"Bleichenbacher's RSA signature forgery based on implementation error"
by Hal Finney.

What did you expect to see?

Update @google-cloud/opentelemetry-cloud-trace-exporter dependencies to use google-auth-library: ^8.0.0

Answer 1 · 2022-10-18T18:36:53.000Z

@bhr I am not able to reproduce this:

$ npm init -y
$ npm install @google-cloud/opentelemetry-cloud-trace-exporter

added 75 packages, and audited 76 packages in 5s

5 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ npm ls node-forge
repro-node-forge-issue@1.0.0 /usr/local/google/home/aaronabbott/tmp/repro-node-forge-issue
└─┬ @google-cloud/opentelemetry-cloud-trace-exporter@1.1.0
  └─┬ google-auth-library@7.14.1
    └─┬ gtoken@5.3.2
      └─┬ google-p12-pem@3.1.4
        └── node-forge@1.3.1

if you are seeing this issue in your own repo, it may be an old lockfile?

Answer 2 · 2022-10-18T22:18:18.000Z

Thank you for looking into this @aabmass! Your analysis 100% on point.

After manually deleting the dependency and running yarn install, it correctly resolved to

gtoken@npm:^5.0.4":
  version: 5.3.2
  resolution: "gtoken@npm:5.3.2"
  dependencies:
    gaxios: ^4.0.0
    google-p12-pem: ^3.1.3
    jws: ^4.0.0
  checksum: 1fd640e98afcb3d5c77026fd4ff0671dce724acad11169e5b63701a853e1f5a03f4c76fe6eb95500db80f8444753ce212701d396186ef006088d08be4174f2d7
  languageName: node
  linkType: hard