etcd icon indicating copy to clipboard operation
etcd copied to clipboard

Published 20 hours ago verified publisher icon etcd-io

Resolve: PRISMA-2023-0056

Open dhamahes opened this issue 1 year ago • 9 comments

Bug report criteria

What happened?

As per the vulnerability scan, our product requires package logrus to be updated from version 1.7.0 to versionn 1.9.3

What did you expect to happen?

We would like to know when is the next release of etcd with updated version of logrus

How can we reproduce it (as minimally and precisely as possible)?

please check the version of logrus package in the current etcd

Anything else we need to know?

No response

Etcd version (please run commands below)

$ etcd --version
# go version -m etcd | grep etcd
etcd: go1.20.12
	path	go.etcd.io/etcd/server/v3
	mod	go.etcd.io/etcd/server/v3	(devel)	
	dep	go.etcd.io/bbolt	v1.3.8	h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
	dep	go.etcd.io/etcd/api/v3	v3.5.11
	dep	go.etcd.io/etcd/client/pkg/v3	v3.5.11
	dep	go.etcd.io/etcd/client/v2	v2.305.11
	dep	go.etcd.io/etcd/client/v3	v3.5.11
	dep	go.etcd.io/etcd/pkg/v3	v3.5.11
	dep	go.etcd.io/etcd/raft/v3	v3.5.11

$ etcdctl version
# paste output here
go version -m etcdctl | grep etcdctl
etcdctl: go1.20.12
	path	go.etcd.io/etcd/etcdctl/v3
	mod	go.etcd.io/etcd/etcdctl/v3

</details>


### Etcd configuration (command line flags or environment variables)

<details>

# paste your configuration here

</details>


### Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

<details>

```console
$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

go version -m etcd | grep logrus
	dep	github.com/sirupsen/logrus	v1.7.0	h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=

dhamahes avatar Jan 18 '24 06:01 dhamahes

cc @jmhbnz

ahrtr avatar Jan 18 '24 09:01 ahrtr

Here is the current state for logrus for main:

 ~  Documents  etcd   main  grep -Ri "github.com/sirupsen/logrus v" | grep -v sum | grep "mod"
tests/go.mod:   github.com/sirupsen/logrus v1.8.1 // indirect
server/go.mod:  github.com/sirupsen/logrus v1.8.1 // indirect
tools/mod/go.mod:       github.com/sirupsen/logrus v1.9.3 // indirect
go.mod: github.com/sirupsen/logrus v1.8.1 // indirect

It's an indirect dependency, a quick go mod why for server shows:

 ~  Documents  etcd  server   main  go mod why github.com/sirupsen/logrus
# github.com/sirupsen/logrus
go.etcd.io/etcd/server/v3/embed
github.com/tmc/grpc-websocket-proxy/wsproxy
github.com/sirupsen/logrus

So the actual problematic dependency is github.com/tmc/grpc-websocket-proxy which is a direct dependency for server. Taking a look at https://github.com/tmc/grpc-websocket-proxy it looks like it is no longer maintained.

Additionally reviewing the fork tree I can't find anything more recently maintained which depends on logrus above 1.9.0. We may need to create our own fork to resolve this?

jmhbnz avatar Jan 18 '24 18:01 jmhbnz

thx for the investigation. Proposals:

  • Let's bump github.com/sirupsen/logrus directly for now to resolve the CVE
  • raise a separate ticket to track the task of how to handle the inactivity of https://github.com/tmc/grpc-websocket-proxy

ahrtr avatar Jan 18 '24 18:01 ahrtr

@jmhbnz I can take a look at this.

vivekpatani avatar Jan 18 '24 19:01 vivekpatani

@vivekpatani any update on this? thx

ahrtr avatar Jan 26 '24 19:01 ahrtr

Sorry @ahrtr got sidetracked with other things, I will investigate this and reply before the end of this week.

vivekpatani avatar Jan 29 '24 19:01 vivekpatani

Does this patch need to be back ported to 3.5 and 3.4? @ahrtr @jmhbnz

vivekpatani avatar Feb 20 '24 23:02 vivekpatani

Does this patch need to be back ported to 3.5 and 3.4? @ahrtr @jmhbnz

In my opinion yes, we need to get it into a stable release branch to actually address the vulnerability.

jmhbnz avatar Feb 20 '24 23:02 jmhbnz

YES, we need to backport to both 3.5 and 3.4.

ahrtr avatar Feb 21 '24 09:02 ahrtr

@ahrtr @jmhbnz for release-3.5 - https://github.com/etcd-io/etcd/pull/17482

vivekpatani avatar Feb 24 '24 02:02 vivekpatani

@ahrtr @jmhbnz for release-3.5 - #17482

thx, merged.

ahrtr avatar Feb 24 '24 07:02 ahrtr

Could you please share the release date of this fix ?

dhamahes avatar Mar 11 '24 10:03 dhamahes

Could anyone bump the dependency for 3.4 as well? Thanks

ahrtr avatar Mar 11 '24 10:03 ahrtr

@ahrtr https://github.com/etcd-io/etcd/issues/17268 - for 3.4

vivekpatani avatar Mar 12 '24 17:03 vivekpatani

@ahrtr #17268 - for 3.4

Thanks for https://github.com/etcd-io/etcd/pull/17580

ahrtr avatar Mar 12 '24 17:03 ahrtr

Please also update changelog for both 3.4 and 3.5

ahrtr avatar Mar 12 '24 17:03 ahrtr

May i know when is the release date and the version in which this issue will be fixed. We have a due date to update the version by March 26, 2024. It would be grateful to know the timeline so that we can take the necessary steps from our end. Thanks

dhamahes avatar Mar 13 '24 04:03 dhamahes

The fix will be included in 3.4.31 and 3.5.13.

Based on Patch release criteria, we will try to release them asap.

ahrtr avatar Mar 13 '24 09:03 ahrtr

Hi, this dependency update was indeed released on 3.4.31/3.5.13. However, we never got the update to the CHANGELOG. I believe that's the only thing remaining to close this issue.

@vivekpatani, could you help with this? Or should I do the update?

ivanvc avatar Apr 02 '24 21:04 ivanvc

@ivanvc sorry for missing this, I'll add it to the CHANGELOG today.

vivekpatani avatar Apr 04 '24 18:04 vivekpatani

@vivekpatani please raise a PR to fix 3.5.13 (and 3.4.31 ?) changelog. thx

ahrtr avatar Apr 11 '24 18:04 ahrtr

Closing as there are no outstanding tasks for this issue.

ivanvc avatar May 07 '24 02:05 ivanvc