Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): upgrade fabric-common to 2.2.10 or later #1600

Closed
petermetz opened this issue Nov 30, 2021 · 0 comments · Fixed by #1601
Closed

fix(security): upgrade fabric-common to 2.2.10 or later #1600

petermetz opened this issue Nov 30, 2021 · 0 comments · Fixed by #1601
Assignees
@petermetz
Labels
bug Something isn't working Fabric Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Member

Describe the bug

1 jsrsasign vulnerability found in yarn.lock 7 days ago
Remediation
Upgrade jsrsasign to version 10.2.0 or later. For example:

jsrsasign@^10.2.0:
version "10.2.0"
Always verify the validity and compatibility of suggestions with your codebase.

Details
GHSA-27fj-mc8w-j9wg
critical severity
Vulnerable versions: < 10.2.0
Patched version: 10.2.0
Impact
Vulnerable jsrsasign will accept RSA signature with improper PKCS#1.5 padding.
Decoded RSA signature value consists following form:
01(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]
Its byte length shall be the same as RSA key length however such checking was not sufficient.

To make crafted message for practical attack is very hard.

Patches
Users validating RSA signature should upgrade to 10.2.0 or later.

Workarounds
There is no workaround. Not to use RSA signature validation in jsrsasign.

ACKNOWLEDGEMENT
Thanks to Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.

Hyperledger Cactus release version or commit (git rev-parse --short HEAD):

1.0.0-rc.2

Hyperledger Cactus Plugins/Connectors Used

Fabric

Additional context

This is a critical severity security bug and needs to be dealt with urgently.
The dependencies need to be upgraded project-wide.
@petermetz petermetz added bug Something isn't working Fabric Security Related to existing or potential security vulnerabilities labels Nov 30, 2021
@petermetz petermetz self-assigned this Nov 30, 2021
petermetz added a commit to petermetz/cacti that referenced this issue Nov 30, 2021
@petermetz
fix(security): upgrade fabric-common to 2.2.10 or later
ea7d911 
In the fabric connector I had to upgrade to a newer snapshot
version because we need the fresh typings from there.

Fixes hyperledger#1600

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Nov 30, 2021
Merged
petermetz added a commit that referenced this issue Dec 3, 2021
@petermetz
fix(security): upgrade fabric-common to 2.2.10 or later
45c4a69 
In the fabric connector I had to upgrade to a newer snapshot
version because we need the fresh typings from there.

Fixes #1600

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
bug Something isn't working Fabric Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(security): upgrade fabric-common to 2.2.10 or later petermetz/cacti
1 participant
@petermetz