cadence
cadence copied to clipboard
uber
Addressing a lot of security vulnerabilities in the Cadence release v1.2.13
Version of Cadence server, and client(which language) This is very important to root cause bugs.
- Server version:
v1.2.13
Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.13
To Reproduce Is the issue reproducible?
- Yes
Steps to reproduce the behavior:
- Pull the latest image
ubercadence/server:v1.2.13from Dockerhub - Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.13 sha256:d490d7ad381715e6a28c3eb046ddeed6bf3dbf4620987336b91ed6f2cb778962
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.3 | fixed in 1.21.11, 1.22.4 | > 4 months | < 1 hour | The various Is methods (IsPrivate, IsLoopback, |
| | | | | | > 4 months ago | | | etc) did not work as expected for IPv4-mapped IPv6 |
| | | | | | | | | addresses, returning false for addresses which |
| | | | | | | | | would... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 4 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 4 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all |
| | | | | | > 1 years ago | | | versions is vulnerable to denial of service. |
| | | | | | | | | Logging more than 64kb of data in a single entry |
| | | | | | | | | without new... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 9 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 10 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 10 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 10 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 10 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24786 | medium | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | > 7 months | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | > 7 months ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24786 | medium | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | > 7 months | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | > 7 months ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-45288 | medium | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | > 6 months | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | > 6 months ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.13: total - 11, critical - 1, high - 1, medium - 9, low - 0
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.13: total - 2, critical - 0, high - 2, medium - 0, low - 0
Expected behavior No more CVEs found.
Screenshots
Additional context Add any other context about the problem here, E.g. Stackstace, workflow history.
