Addressing a lot of security vulnerabilities in the Cadence release v0.25
thle40 opened this issue · 1 comments
thle40 commented
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
- Server version: v.0.25.0
- Client version:
- Client langauge:
Describe the bug
There are a lot of CVEs found by scanning the latest release image v0.25.0.
To Reproduce
Is the issue reproducible? Yes
Steps to reproduce the behavior:
A clear and concise description of the reproduce steps.
cadence % /usr/local/bin/twistcli images scan --details docker.io/ubercadence/server:0.25.0
Scan results for: image ubercadence/server:0.25.0 sha256:acaa5f69b5ad10191ae71deebf24d367322f9352948ff934f808db7a0b59df33
Vulnerabilities
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-42915 | critical | 9.80 | curl | 7.80.0-r3 | fixed in 7.80.0-r4 | > 4 months | < 1 hour | curl before 7.86.0 has a double free. If curl is |
| | | | | | > 4 months ago | | | told to use an HTTP proxy for a transfer with a |
| | | | | | | | | non-HTTP(S) URL, it sets up the connection to the |
| | | | | | | | | rem... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32221 | critical | 9.80 | curl | 7.80.0-r3 | fixed in 7.80.0-r4 | > 3 months | < 1 hour | When doing HTTP(S) transfers, libcurl |
| | | | | | | | | might erroneously use the read callback |
| | | | | | | | | (`CURLOPT_READFUNCTION`) to ask for data to send, |
| | | | | | | | | even when the `CURLOPT... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-23914 | critical | 9.10 | curl | 7.80.0-r3 | fixed in 7.80.0-r6 | 20 days | < 1 hour | A cleartext transmission of sensitive information |
| | | | | | 28 days ago | | | vulnerability exists in curl <v7.88.0 that could |
| | | | | | | | | cause HSTS functionality fail when multiple URLs |
| | | | | | | | | ar... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-23916 | high | 7.50 | curl | 7.80.0-r3 | fixed in 7.80.0-r6 | 20 days | < 1 hour | An allocation of resources without limits or |
| | | | | | 28 days ago | | | throttling vulnerability exists in curl <v7.88.0 |
| | | | | | | | | based on the \"chained\" HTTP compression |
| | | | | | | | | algorithms, me... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-0215 | high | 7.50 | openssl | 1.1.1q-r0 | fixed in 1.1.1t-r0 | 35 days | < 1 hour | The public API function BIO_new_NDEF is a helper |
| | | | | | 36 days ago | | | function used for streaming ASN.1 data via a BIO. |
| | | | | | | | | It is primarily used internally to OpenSSL to |
| | | | | | | | | suppo... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-4450 | high | 7.50 | openssl | 1.1.1q-r0 | fixed in 1.1.1t-r0 | 35 days | < 1 hour | The function PEM_read_bio_ex() reads a PEM file |
| | | | | | 36 days ago | | | from a BIO and parses and decodes the \"name\" |
| | | | | | | | | (e.g. \"CERTIFICATE\"), any header data and the |
| | | | | | | | | payload... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-43551 | high | 7.50 | curl | 7.80.0-r3 | fixed in 7.80.0-r5 | 82 days | < 1 hour | A vulnerability exists in curl <7.87.0 HSTS |
| | | | | | 84 days ago | | | check that could be bypassed to trick it to keep |
| | | | | | | | | using HTTP. Using its HSTS support, curl can be |
| | | | | | | | | instructe... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-42916 | high | 7.50 | curl | 7.80.0-r3 | fixed in 7.80.0-r4 | > 4 months | < 1 hour | In curl before 7.86.0, the HSTS check could be |
| | | | | | > 4 months ago | | | bypassed to trick it into staying with HTTP. Using |
| | | | | | | | | its HSTS support, curl can be instructed to use |
| | | | | | | | | HTTP... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41725 | high | 7.50 | go | 1.17.13 | fixed in 1.19.6 | 15 days | < 1 hour | A denial of service is possible from |
| | | | | | 6 days ago | | | excessive resource consumption in net/http and |
| | | | | | | | | mime/multipart. Multipart form parsing with |
| | | | | | | | | mime/multipart.Reader.... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41724 | high | 7.50 | go | 1.17.13 | fixed in 1.19.6 | 15 days | < 1 hour | Large handshake records may cause panics in |
| | | | | | 6 days ago | | | crypto/tls. Both clients and servers may send |
| | | | | | | | | large TLS handshake records which cause servers |
| | | | | | | | | and clients,... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41723 | high | 7.50 | go | 1.17.13 | fixed in 1.19.6 | 15 days | < 1 hour | A maliciously crafted HTTP/2 stream could cause |
| | | | | | 6 days ago | | | excessive CPU consumption in the HPACK decoder, |
| | | | | | | | | sufficient to cause a denial of service from a |
| | | | | | | | | small n... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41715 | high | 7.50 | go | 1.17.13 | fixed in 1.19.2, 1.18.7 | > 5 months | < 1 hour | Programs which compile regular expressions from |
| | | | | | > 5 months ago | | | untrusted sources may be vulnerable to memory |
| | | | | | | | | exhaustion or denial of service. The parsed regexp |
| | | | | | | | | repre... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2880 | high | 7.50 | go | 1.17.13 | fixed in 1.19.2, 1.18.7 | > 5 months | < 1 hour | Requests forwarded by ReverseProxy include the |
| | | | | | > 5 months ago | | | raw query parameters from the inbound request, |
| | | | | | | | | including unparseable parameters rejected by |
| | | | | | | | | net/http. T... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2879 | high | 7.50 | go | 1.17.13 | fixed in 1.19.2, 1.18.7 | > 5 months | < 1 hour | Reader.Read does not set a limit on the maximum |
| | | | | | > 5 months ago | | | size of file headers. A maliciously crafted |
| | | | | | | | | archive could cause Read to allocate unbounded |
| | | | | | | | | amounts of ... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27664 | high | 7.50 | go | 1.17.13 | fixed in 1.19.1, 1.18.6 | > 6 months | < 1 hour | In net/http in Go before 1.18.6 and 1.19.x before |
| | | | | | > 6 months ago | | | 1.19.1, attackers can cause a denial of service |
| | | | | | | | | because an HTTP/2 connection can hang during |
| | | | | | | | | closing... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-0286 | high | 7.40 | openssl | 1.1.1q-r0 | fixed in 1.1.1t-r0 | 35 days | < 1 hour | There is a type confusion vulnerability relating |
| | | | | | 36 days ago | | | to X.400 address processing inside an X.509 |
| | | | | | | | | GeneralName. X.400 addresses were parsed as an |
| | | | | | | | | ASN1_STRIN... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41723 | high | 7.00 | golang.org/x/net | v0.0.0-20211015210444-4f30a5c0130f | fixed in 0.7.0 | 15 days | < 1 hour | A maliciously crafted HTTP/2 stream could cause |
| | | | | | 26 days ago | | | excessive CPU consumption in the HPACK decoder, |
| | | | | | | | | sufficient to cause a denial of service from a |
| | | | | | | | | small n... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27664 | high | 7.00 | golang.org/x/net | v0.0.0-20211015210444-4f30a5c0130f | fixed in 0.0.0-20220906165146-f3363e06e74c | > 6 months | < 1 hour | In net/http in Go before 1.18.6 and 1.19.x before |
| | | | | | 26 days ago | | | 1.19.1, attackers can cause a denial of service |
| | | | | | | | | because an HTTP/2 connection can hang during |
| | | | | | | | | closing... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27191 | high | 7.00 | golang.org/x/crypto | v0.0.0-20210921155107-089bfa567519 | fixed in 0.0.0-20220314234659-1baeb1ce4c0b | > 12 months | < 1 hour | The golang.org/x/crypto/ssh package before |
| | | | | | 26 days ago | | | 0.0.0-20220314234659-1baeb1ce4c0b for Go |
| | | | | | | | | allows an attacker to crash a server in certain |
| | | | | | | | | circumstances invo... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-21698 | high | 7.00 | github.com/prometheus/client_golang | v1.4.1 | fixed in 1.11.1 | > 1 years | < 1 hour | client_golang is the instrumentation library for |
| | | | | | 29 days ago | | | Go applications in Prometheus, and the promhttp |
| | | | | | | | | package in client_golang provides tooling around |
| | | | | | | | | HTTP... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-44716 | high | 7.00 | golang.org/x/net/http2 | v0.0.0-20211015210444-4f30a5c0130f | fixed in 0.0.0-20211209124913-491a49abca63 | > 1 years | < 1 hour | net/http in Go before 1.16.12 and 1.17.x before |
| | | | | | 36 days ago | | | 1.17.5 allows uncontrolled memory consumption |
| | | | | | | | | in the header canonicalization cache via HTTP/2 |
| | | | | | | | | requests... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-43565 | high | 7.00 | golang.org/x/crypto | v0.0.0-20210921155107-089bfa567519 | fixed in 0.0.0-20211202192323-5770296d904e | > 6 months | < 1 hour | The x/crypto/ssh package before |
| | | | | | 26 days ago | | | 0.0.0-20211202192323-5770296d904e of |
| | | | | | | | | golang.org/x/crypto allows an attacker to panic an |
| | | | | | | | | SSH server. |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-23915 | medium | 6.50 | curl | 7.80.0-r3 | fixed in 7.80.0-r6 | 20 days | < 1 hour | A cleartext transmission of sensitive information |
| | | | | | 28 days ago | | | vulnerability exists in curl <v7.88.0 that could |
| | | | | | | | | cause HSTS functionality to behave incorrectly |
| | | | | | | | | when... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-43552 | medium | 5.90 | curl | 7.80.0-r3 | fixed in 7.80.0-r5 | 34 days | < 1 hour | A use after free vulnerability exists in curl |
| | | | | | 84 days ago | | | <7.87.0. Curl can be asked to *tunnel* virtually |
| | | | | | | | | all protocols it supports through an HTTP proxy. |
| | | | | | | | | HTTP p... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-4304 | medium | 5.90 | openssl | 1.1.1q-r0 | fixed in 1.1.1t-r0 | 35 days | < 1 hour | A timing based side channel exists in the OpenSSL |
| | | | | | 36 days ago | | | RSA Decryption implementation which could be |
| | | | | | | | | sufficient to recover a plaintext across a network |
| | | | | | | | | in a... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41716 | medium | 5.40 | go | 1.17.13 | fixed in 1.19.3, 1.18.8 | > 4 months | < 1 hour | Due to unsanitized NUL values, attackers may be |
| | | | | | > 4 months ago | | | able to maliciously set environment variables on |
| | | | | | | | | Windows. In syscall.StartProcess and os/exec.Cmd, |
| | | | | | | | | inv... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2022-0164 | medium | 5.30 | github.com/aws/aws-sdk-go | v1.34.13 | fixed in v1.40.27 | > 10 months | < 1 hour | github.com/aws/aws-sdk-go module prior to v1.40.27 |
| | | | | | > 10 months ago | | | is vulnerable to Information Exposure. The SDK |
| | | | | | | | | did not automatically suppress sensitive API |
| | | | | | | | | paramet... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-24532 | medium | 5.30 | go | 1.17.13 | fixed in 1.20.2, 1.19.7 | 7 days | < 1 hour | The ScalarMult and ScalarBaseMult methods of |
| | | | | | 13 hours ago | | | the P256 Curve may return an incorrect result if |
| | | | | | | | | called with some specific unreduced scalars (a |
| | | | | | | | | scalar la... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41717 | medium | 5.30 | go | 1.17.13 | fixed in 1.19.4, 1.18.9 | > 3 months | < 1 hour | An attacker can cause excessive memory growth in a |
| | | | | | > 3 months ago | | | Go server accepting HTTP/2 requests. HTTP/2 server |
| | | | | | | | | connections contain a cache of HTTP header keys |
| | | | | | | | | ... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41717 | moderate | 4.00 | golang.org/x/net/http2 | v0.0.0-20211015210444-4f30a5c0130f | fixed in 0.4.0 | > 3 months | < 1 hour | An attacker can cause excessive memory growth in a |
| | | | | | 57 days ago | | | Go server accepting HTTP/2 requests. HTTP/2 server |
| | | | | | | | | connections contain a cache of HTTP header keys |
| | | | | | | | | ... |
+------------------+----------+------+-------------------------------------+------------------------------------+--------------------------------------------+-------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:0.25.0: total - 30, critical - 3, high - 19, medium - 8, low - 0
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.3.1 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:0.25.0: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS
List of CVEs raised:
curl
- CVE-2022-42915
- CVE-2022-32221
- CVE-2023-23914
- CVE-2023-23916
- CVE-2022-43551
- CVE-2022-42916
- CVE-2023-23915
- CVE-2022-43552
go
- CVE-2022-41725
- CVE-2022-41724
- CVE-2022-41723
- CVE-2022-41715 fixed by #5035 (pending review)
- CVE-2022-2880 fixed by #5035 (pending review)
- CVE-2022-2879 fixed by #5035 (pending review)
- CVE-2022-27664 fixed by #5035 (pending review)
- CVE-2022-41716 fixed by #5035 (pending review)
- CVE-2023-24532
- CVE-2022-41717
golang.org
openssl
github.com
- PRISMA-2022-0164
- CVE-2022-21698
Compliant issues:
- CIS_Docker_v1.3.1 - 4.1 Image should be created with a non-root user
- Private keys stored in image
Expected behavior
CVEs scanned by twistlock are fixed
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
thle40 commented
Since new version of cadence/server is released and many CVEs are remediated, I'd like to close this issue