Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix all HIGH security vulnerabilities in Wave SDK #2351

Closed
dulajra opened this issue Jun 13, 2024 · 4 comments
Closed

Fix all HIGH security vulnerabilities in Wave SDK #2351

dulajra opened this issue Jun 13, 2024 · 4 comments
Labels
chore Chores security Related to security

Comments

@dulajra
Copy link
Contributor

dulajra commented Jun 13, 2024
edited
Loading

Wave SDK Version, OS

1.3.1

Actual behavior

The following HIGH security vulnerability is present in the latest Wave version.

mlops-wave/venv/waved (gobinary)
================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.22.1            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
│         ├────────────────┤          │        │                   ├────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │          │        │                   │ 1.22.3         │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘

Expected behavior

0 HIGH and CRITICAL vulnerabilities.
@dulajra dulajra added the bug Bug in code label Jun 13, 2024
@mturoci mturoci added security Related to security chore Chores and removed bug Bug in code labels Jun 13, 2024
@jakubhava
Copy link
Collaborator

jakubhava commented Jun 13, 2024
edited
Loading

This is full report on waved

mlops-wave/venv/waved (gobinary)
================================
Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │  Fixed Version  │                            Title                            │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net           │ CVE-2023-45288 │ MEDIUM   │ fixed    │ v0.22.0           │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of          │
│                            │                │          │          │                   │                 │ CONTINUATION frames causes DoS                              │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
├────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │          │ affected │ v2.6.0            │                 │ jose-go: improper handling of highly compressed data        │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-28180                  │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2023-45288 │ HIGH     │ fixed    │ 1.22.1            │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of          │
│                            │                │          │          │                   │                 │ CONTINUATION frames causes DoS                              │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                            ├────────────────┤          │          │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24788 │          │          │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop  │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                  │
│                            ├────────────────┼──────────┤          │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24789 │ UNKNOWN  │          │                   │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of      │
│                            │                │          │          │                   │                 │ invalid zip fil ......                                      │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                  │
│                            ├────────────────┤          │          │                   │                 ├─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24790 │          │          │                   │                 │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│                            │                │          │          │                   │                 │ work as ex...                                               │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

More we can fix the better

@mturoci
Copy link
Collaborator

mturoci commented Jun 14, 2024

Fixed in a90b902.

Bumped Go to 1.22.4 which should mitigate all the CVEs mentioned above. If not, let me know.

@mturoci mturoci closed this as completed Jun 14, 2024
@mturoci
Copy link
Collaborator

mturoci commented Jun 14, 2024

Edit: Didn't notice your comment @jakubhava.

gopkg.in/square/go-jose.v2

Has no fix atm if I read it correctly.

golang.org/x/net

Will bump and cut one more release.

@jakubhava
Copy link
Collaborator

Thanks a lot @mturoci.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore Chores security Related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakubhava @dulajra @mturoci