cadence icon indicating copy to clipboard operation
cadence copied to clipboard
verified publisher icon uber

Addressing a lot of security vulnerabilities in the Cadence release v1.2.12

Open LauVietVan opened this issue 1 year ago • 0 comments

Version of Cadence server, and client(which language) This is very important to root cause bugs.

  • Server version: v1.2.12

Describe the bug There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.10 To Reproduce Is the issue reproducible?

  • Yes

Steps to reproduce the behavior:

  • Pull the latest image ubercadence/server:v1.2.12 from Dockerhub
  • Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.12 sha256:d2625104cbd1731ea82ea2e24419bcc207a4f1d43f33e228d30bb9c4941d55a5
Vulnerabilities
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                PACKAGE                 |              VERSION               |          STATUS          | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24790   | critical | 9.80 | net/netip                              | 1.22.3                             | fixed in 1.21.11, 1.22.4 | 85 days    | < 1 hour   | The various Is methods (IsPrivate, IsLoopback,     |
|                  |          |      |                                        |                                    | 85 days ago              |            |            | etc) did not work as expected for IPv4-mapped IPv6 |
|                  |          |      |                                        |                                    |                          |            |            | addresses, returning false for addresses which     |
|                  |          |      |                                        |                                    |                          |            |            | would...                                           |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0          | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                        |                                    | > 4 years ago            |            |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                        |                                    |                          |            |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                        |                                    |                          |            |            | invalid input data.                                |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus             | v1.9.0                             | fixed in v1.9.3          | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                        |                                    | > 1 years ago            |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                        |                                    |                          |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                        |                                    |                          |            |            | without new...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                   | 1.2.13-r1                          |                          | > 7 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                        |                                    |                          |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                        |                                    |                          |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                        |                                    |                          |            |            | (deflate.c)...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | medium   | 0.00 | golang.org/x/net/http2                 | v0.19.0                            | fixed in 0.23.0          | > 4 months | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                        |                                    | > 4 months ago           |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                        |                                    |                          |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                        |                                    |                          |            |            | Maintaining H...                                   |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.12: total - 5, critical - 1, high - 1, medium - 3, low - 0
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.12: total - 2, critical - 0, high - 2, medium - 0, low - 0

Expected behavior No more CVEs found. Screenshots image

Additional context Add any other context about the problem here, E.g. Stackstace, workflow history.

LauVietVan avatar Aug 30 '24 01:08 LauVietVan