Addressing a lot of security vulnerabilities in the Cadence release v1.2.8
Closed this issue · 1 comments
sonpham96 commented
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
- Server version:
v1.2.8
Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.8
To Reproduce
Is the issue reproducible?
- Yes
Steps to reproduce the behavior:
- Pull the latest image
ubercadence/server:v1.2.8from Dockerhub - Scan the image with any vulnerability scanner
Expected behavior
A clear and concise description of what you expected to happen.
Scan results for: image ubercadence/server:v1.2.8 sha256:2cb358a5152e7c4d1ac57f214450c90de2834fd1df576c909f7f0350089891ca
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397 | high | 8.80 | github.com/apache/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0 | > 6 years | < 1 hour | The Apache Thrift Go client library exposed the |
| | | | | | > 8 months ago | | | potential during code generation for command |
| | | | | | | | | injection due to using an external formatting |
| | | | | | | | | tool. Affec... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 4 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 4 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0190 | high | 7.50 | openssl | 3.1.4-r5 | | > 5 years | < 1 hour | A bug exists in the way mod_ssl handled client |
| | | | | | | | | renegotiations. A remote attacker could send a |
| | | | | | | | | carefully crafted request that would cause mod_ssl |
| | | | | | | | | to en... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all |
| | | | | | > 1 years ago | | | versions is vulnerable to denial of service. |
| | | | | | | | | Logging more than 64kb of data in a single entry |
| | | | | | | | | without new... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 3 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | 42 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 42 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | 42 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 42 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | 12 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 12 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | n/a | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 7 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.8: total - 13, critical - 0, high - 3, medium - 9, low - 1
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.8: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASSScreenshots
Scan results:
Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
sonpham96 commented
There are still a lot of security vulnerabilities in Cadence v1.2.9 release. Scan results:
Scan results for: image ubercadence/server:v1.2.9 sha256:91d5b52428fe2cc5bc18e940c0b73f6a758fa38790c1b62a7f7499d41084e716
Vulnerabilities
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397 | high | 8.80 | github.com/apache/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0 | > 6 years | < 1 hour | The Apache Thrift Go client library exposed the |
| | | | | | > 9 months ago | | | potential during code generation for command |
| | | | | | | | | injection due to using an external formatting |
| | | | | | | | | tool. Affec... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 4 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 4 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 4 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r6 | > 5 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | 1 days ago | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | 75 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 75 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | 75 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 75 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | 45 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 45 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | 41 days | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 40 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.9: total - 12, critical - 0, high - 2, medium - 9, low - 1
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.9: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS