Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade ecdsa to a version > 0.18 #21590

Closed
4 tasks done
EduLeon12 opened this issue Jan 23, 2024 · 3 comments
Closed
4 tasks done

Upgrade ecdsa to a version > 0.18 #21590

EduLeon12 opened this issue Jan 23, 2024 · 3 comments
Assignees
@fdalmaup
Labels
level/task team/framework type/bug/vulnerability Exploitable vulnerability

Comments

@EduLeon12
Copy link
Contributor

EduLeon12 commented Jan 23, 2024
edited by Selutario

Wazuh version Component
4.9.0 Wazuh embedded python

Description

During the [Week 4] Framework weekly security scan. it was found that ecdsa package has a vulnerability. Therefore, it must be upgraded to avoid it.

CVE-2024-23342

Vulnerability description

https://github.com/wazuh/wazuh/security/dependabot/38

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the ecdsa.SigningKey.sign_digest() API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.

Weaknesses

Checks

The following elements have been updated or reviewed (should also be checked if no modification is required):

  • Tests (unit tests, API integration tests).
  • Changelog.
  • Documentation.
  • Integration test mapping (using api/test/integration/mapping/_test_mapping.py).
@fdalmaup fdalmaup self-assigned this Jan 29, 2024
@fdalmaup
Copy link
Member

fdalmaup commented Jan 29, 2024
edited

Issue Update

The dependency tree for the 4.8.2 version is:

Dependency tree 
aiohttp-cache==2.2.0
├── aiohttp [required: >=3.6,<4.0, installed: 3.9.1]
│   ├── aiosignal [required: >=1.1.2, installed: 1.2.0]
│   │   └── frozenlist [required: >=1.1.0, installed: 1.2.0]
│   ├── async-timeout [required: >=4.0,<5.0, installed: 4.0.2]
│   ├── attrs [required: >=17.3.0, installed: 20.3.0]
│   ├── frozenlist [required: >=1.1.1, installed: 1.2.0]
│   ├── multidict [required: >=4.5,<7.0, installed: 5.2.0]
│   └── yarl [required: >=1.0,<2.0, installed: 1.7.0]
│       ├── idna [required: >=2.0, installed: 2.9]
│       └── multidict [required: >=4.0, installed: 5.2.0]
├── aioredis [required: >=1.3,<2.0, installed: 1.3.1]
│   ├── async-timeout [required: Any, installed: 4.0.2]
│   └── hiredis [required: Any, installed: 2.2.3]
└── envparse [required: >=0.2.0,<0.3.0, installed: 0.2.0]
aiohttp-cors==0.7.0
└── aiohttp [required: >=1.1, installed: 3.9.1]
    ├── aiosignal [required: >=1.1.2, installed: 1.2.0]
    │   └── frozenlist [required: >=1.1.0, installed: 1.2.0]
    ├── async-timeout [required: >=4.0,<5.0, installed: 4.0.2]
    ├── attrs [required: >=17.3.0, installed: 20.3.0]
    ├── frozenlist [required: >=1.1.1, installed: 1.2.0]
    ├── multidict [required: >=4.5,<7.0, installed: 5.2.0]
    └── yarl [required: >=1.0,<2.0, installed: 1.7.0]
        ├── idna [required: >=2.0, installed: 2.9]
        └── multidict [required: >=4.0, installed: 5.2.0]
aiohttp-jinja2==1.5.1
├── aiohttp [required: >=3.6.3, installed: 3.9.1]
│   ├── aiosignal [required: >=1.1.2, installed: 1.2.0]
│   │   └── frozenlist [required: >=1.1.0, installed: 1.2.0]
│   ├── async-timeout [required: >=4.0,<5.0, installed: 4.0.2]
│   ├── attrs [required: >=17.3.0, installed: 20.3.0]
│   ├── frozenlist [required: >=1.1.1, installed: 1.2.0]
│   ├── multidict [required: >=4.5,<7.0, installed: 5.2.0]
│   └── yarl [required: >=1.0,<2.0, installed: 1.7.0]
│       ├── idna [required: >=2.0, installed: 2.9]
│       └── multidict [required: >=4.0, installed: 5.2.0]
└── Jinja2 [required: >=3.0.0, installed: 3.0.0]
    └── MarkupSafe [required: >=2.0.0rc2, installed: 2.1.2]
api==4.8.2
asn1crypto==1.3.0
azure-storage-blob==2.1.0
├── azure-common [required: >=1.1.5, installed: 1.1.25]
└── azure-storage-common [required: ~=2.1, installed: 2.1.0]
    ├── azure-common [required: >=1.1.5, installed: 1.1.25]
    ├── cryptography [required: Any, installed: 41.0.7]
    │   └── cffi [required: >=1.12, installed: 1.15.1]
    │       └── pycparser [required: Any, installed: 2.21]
    ├── python-dateutil [required: Any, installed: 2.8.1]
    │   └── six [required: >=1.5, installed: 1.16.0]
    └── requests [required: Any, installed: 2.31.0]
        ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
        ├── charset-normalizer [required: >=2,<4, installed: 2.0.4]
        ├── idna [required: >=2.5,<4, installed: 2.9]
        └── urllib3 [required: >=1.21.1,<3, installed: 1.26.18]
boto3==1.17.85
├── botocore [required: >=1.20.85,<1.21.0, installed: 1.20.85]
│   ├── jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.5]
│   ├── python-dateutil [required: >=2.1,<3.0.0, installed: 2.8.1]
│   │   └── six [required: >=1.5, installed: 1.16.0]
│   └── urllib3 [required: >=1.25.4,<1.27, installed: 1.26.18]
├── jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.5]
└── s3transfer [required: >=0.4.0,<0.5.0, installed: 0.4.2]
    └── botocore [required: >=1.12.36,<2.0a.0, installed: 1.20.85]
        ├── jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.5]
        ├── python-dateutil [required: >=2.1,<3.0.0, installed: 2.8.1]
        │   └── six [required: >=1.5, installed: 1.16.0]
        └── urllib3 [required: >=1.25.4,<1.27, installed: 1.26.18]
chardet==3.0.4
connexion==2.14.2
├── clickclick [required: >=1.2,<21, installed: 20.10.2]
│   ├── click [required: >=4.0, installed: 8.1.3]
│   └── PyYAML [required: >=3.11, installed: 5.4.1]
├── Flask [required: >=1.0.4,<2.3, installed: 2.2.5]
│   ├── click [required: >=8.0, installed: 8.1.3]
│   ├── itsdangerous [required: >=2.0, installed: 2.0.0]
│   ├── Jinja2 [required: >=3.0, installed: 3.0.0]
│   │   └── MarkupSafe [required: >=2.0.0rc2, installed: 2.1.2]
│   └── Werkzeug [required: >=2.2.2, installed: 2.2.3]
│       └── MarkupSafe [required: >=2.1.1, installed: 2.1.2]
├── inflection [required: >=0.3.1,<0.6, installed: 0.3.1]
├── itsdangerous [required: >=0.24, installed: 2.0.0]
├── jsonschema [required: >=2.5.1,<5, installed: 2.6.0]
├── packaging [required: >=20, installed: 20.9]
│   └── pyparsing [required: >=2.0.2, installed: 2.4.7]
├── PyYAML [required: >=5.1,<7, installed: 5.4.1]
├── requests [required: >=2.9.1,<3, installed: 2.31.0]
│   ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
│   ├── charset-normalizer [required: >=2,<4, installed: 2.0.4]
│   ├── idna [required: >=2.5,<4, installed: 2.9]
│   └── urllib3 [required: >=1.21.1,<3, installed: 1.26.18]
└── Werkzeug [required: >=1.0,<2.3, installed: 2.2.3]
    └── MarkupSafe [required: >=2.1.1, installed: 2.1.2]
Cython==0.29.21
defusedxml==0.6.0
docker==6.0.0
├── packaging [required: >=14.0, installed: 20.9]
│   └── pyparsing [required: >=2.0.2, installed: 2.4.7]
├── requests [required: >=2.26.0, installed: 2.31.0]
│   ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
│   ├── charset-normalizer [required: >=2,<4, installed: 2.0.4]
│   ├── idna [required: >=2.5,<4, installed: 2.9]
│   └── urllib3 [required: >=1.21.1,<3, installed: 1.26.18]
├── urllib3 [required: >=1.26.0, installed: 1.26.18]
└── websocket-client [required: >=0.32.0, installed: 0.57.0]
    └── six [required: Any, installed: 1.16.0]
docker-pycreds==0.4.0
└── six [required: >=1.4.0, installed: 1.16.0]
docutils==0.15.2
future==0.18.3
google-cloud-pubsub==2.7.1
├── google-api-core [required: >=1.26.0,<3.0.0dev, installed: 1.30.0]
│   ├── google-auth [required: >=1.25.0,<2.0dev, installed: 1.28.0]
│   │   ├── cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
│   │   ├── pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
│   │   │   └── pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
│   │   ├── rsa [required: >=3.1.4,<5, installed: 4.7.2]
│   │   │   └── pyasn1 [required: >=0.1.3, installed: 0.4.8]
│   │   ├── setuptools [required: >=40.3.0, installed: 65.5.1]
│   │   └── six [required: >=1.9.0, installed: 1.16.0]
│   ├── googleapis-common-protos [required: >=1.6.0,<2.0dev, installed: 1.51.0]
│   │   └── protobuf [required: >=3.6.0, installed: 3.19.6]
│   ├── packaging [required: >=14.3, installed: 20.9]
│   │   └── pyparsing [required: >=2.0.2, installed: 2.4.7]
│   ├── protobuf [required: >=3.12.0, installed: 3.19.6]
│   ├── pytz [required: Any, installed: 2020.1]
│   ├── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│   │   ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
│   │   ├── charset-normalizer [required: >=2,<4, installed: 2.0.4]
│   │   ├── idna [required: >=2.5,<4, installed: 2.9]
│   │   └── urllib3 [required: >=1.21.1,<3, installed: 1.26.18]
│   ├── setuptools [required: >=40.3.0, installed: 65.5.1]
│   └── six [required: >=1.13.0, installed: 1.16.0]
├── grpc-google-iam-v1 [required: >=0.12.3,<0.13dev, installed: 0.12.3]
│   ├── googleapis-common-protos [required: >=1.5.2,<2.0.0dev, installed: 1.51.0]
│   │   └── protobuf [required: >=3.6.0, installed: 3.19.6]
│   └── grpcio [required: >=1.0.0,<2.0.0dev, installed: 1.58.0]
├── grpcio [required: >=1.38.1,<2.0dev, installed: 1.58.0]
├── libcst [required: >=0.3.10, installed: 0.3.20]
│   ├── PyYAML [required: >=5.2, installed: 5.4.1]
│   ├── typing-extensions [required: >=3.7.4.2, installed: 4.5.0]
│   └── typing-inspect [required: >=0.4.0, installed: 0.7.1]
│       ├── mypy-extensions [required: >=0.3.0, installed: 0.4.3]
│       └── typing-extensions [required: >=3.7.4, installed: 4.5.0]
├── packaging [required: >=14.3, installed: 20.9]
│   └── pyparsing [required: >=2.0.2, installed: 2.4.7]
└── proto-plus [required: >=1.7.1, installed: 1.19.0]
    └── protobuf [required: >=3.12.0, installed: 3.19.6]
google-cloud-storage==1.39.0
├── google-auth [required: >=1.11.0,<2.0dev, installed: 1.28.0]
│   ├── cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
│   ├── pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
│   │   └── pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
│   ├── rsa [required: >=3.1.4,<5, installed: 4.7.2]
│   │   └── pyasn1 [required: >=0.1.3, installed: 0.4.8]
│   ├── setuptools [required: >=40.3.0, installed: 65.5.1]
│   └── six [required: >=1.9.0, installed: 1.16.0]
├── google-cloud-core [required: >=1.4.1,<2.0dev, installed: 1.7.1]
│   ├── google-api-core [required: >=1.21.0,<2.0.0dev, installed: 1.30.0]
│   │   ├── google-auth [required: >=1.25.0,<2.0dev, installed: 1.28.0]
│   │   │   ├── cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
│   │   │   ├── pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
│   │   │   │   └── pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
│   │   │   ├── rsa [required: >=3.1.4,<5, installed: 4.7.2]
│   │   │   │   └── pyasn1 [required: >=0.1.3, installed: 0.4.8]
│   │   │   ├── setuptools [required: >=40.3.0, installed: 65.5.1]
│   │   │   └── six [required: >=1.9.0, installed: 1.16.0]
│   │   ├── googleapis-common-protos [required: >=1.6.0,<2.0dev, installed: 1.51.0]
│   │   │   └── protobuf [required: >=3.6.0, installed: 3.19.6]
│   │   ├── packaging [required: >=14.3, installed: 20.9]
│   │   │   └── pyparsing [required: >=2.0.2, installed: 2.4.7]
│   │   ├── protobuf [required: >=3.12.0, installed: 3.19.6]
│   │   ├── pytz [required: Any, installed: 2020.1]
│   │   ├── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│   │   │   ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
│   │   │   ├── charset-normalizer [required: >=2,<4, installed: 2.0.4]
│   │   │   ├── idna [required: >=2.5,<4, installed: 2.9]
│   │   │   └── urllib3 [required: >=1.21.1,<3, installed: 1.26.18]
│   │   ├── setuptools [required: >=40.3.0, installed: 65.5.1]
│   │   └── six [required: >=1.13.0, installed: 1.16.0]
│   ├── google-auth [required: >=1.24.0,<2.0dev, installed: 1.28.0]
│   │   ├── cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
│   │   ├── pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
│   │   │   └── pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
│   │   ├── rsa [required: >=3.1.4,<5, installed: 4.7.2]
│   │   │   └── pyasn1 [required: >=0.1.3, installed: 0.4.8]
│   │   ├── setuptools [required: >=40.3.0, installed: 65.5.1]
│   │   └── six [required: >=1.9.0, installed: 1.16.0]
│   └── six [required: >=1.12.0, installed: 1.16.0]
├── google-resumable-media [required: >=1.3.0,<2.0dev, installed: 1.3.1]
│   ├── google-crc32c [required: >=1.0,<2.0dev, installed: 1.1.2]
│   └── six [required: >=1.4.0, installed: 1.16.0]
└── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
    ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
    ├── charset-normalizer [required: >=2,<4, installed: 2.0.4]
    ├── idna [required: >=2.5,<4, installed: 2.9]
    └── urllib3 [required: >=1.21.1,<3, installed: 1.26.18]
importlib-metadata==3.10.1
└── zipp [required: >=0.5, installed: 3.3.2]
more-itertools==8.2.0
openapi-spec-validator==0.2.6
├── jsonschema [required: <3, installed: 2.6.0]
├── pathlib [required: Any, installed: 1.0.1]
├── PyYAML [required: >=3.13, installed: 5.4.1]
└── six [required: Any, installed: 1.16.0]
pip==23.3.2
pipdeptree==2.13.2
psutil==5.9.0
pyarrow==14.0.1
└── numpy [required: >=1.16.6, installed: 1.26.0]
python-jose==3.1.0
├── ecdsa [required: <1.0, installed: 0.16.1]
│   └── six [required: >=1.9.0, installed: 1.16.0]
├── pyasn1 [required: Any, installed: 0.4.8]
├── rsa [required: Any, installed: 4.7.2]
│   └── pyasn1 [required: >=0.1.3, installed: 0.4.8]
└── six [required: <2.0, installed: 1.16.0]
python-json-logger==2.0.2
secure==0.2.1
SQLAlchemy==2.0.23
├── greenlet [required: !=0.4.17, installed: 2.0.2]
└── typing-extensions [required: >=4.2.0, installed: 4.5.0]
tabulate==0.8.9
uvloop==0.17.0
wazuh==4.8.2
wheel==0.38.4
xmltodict==0.12.0

Note

Although the installed version of cryptography is 41.0.7. it is not the same as the one that can be currently found in framework/requirements.txt (41.0.4). It will be updated in the upcoming bump.

As can be checked, the ecdsa dependency is required for python-jose. The latter is used in api/api/authentication.py to encode and decode the JWT:

wazuh/api/api/authentication.py

Line 15 in cc9fd47

from jose import JWTError, jwt

API Unit Tests

$ pytest api/api
=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.10.13, pytest-7.3.1, pluggy-1.3.0
rootdir: /home/fdalmau/git/wazuh/api/api
configfile: pytest.ini
plugins: metadata-3.0.0, cov-3.0.0, aiohttp-1.0.4, trio-0.7.0, tavern-1.23.5, asyncio-0.18.1, html-2.1.1
asyncio: mode=auto
collected 569 items                                                                                                                                                                                               

api/api/controllers/test/test_active_response_controller.py .                                                                                                                                               [  0%]
api/api/controllers/test/test_agent_controller.py ............................................                                                                                                              [  7%]
api/api/controllers/test/test_cdb_list_controller.py ......                                                                                                                                                 [  8%]
api/api/controllers/test/test_ciscat_controller.py .                                                                                                                                                        [  9%]
api/api/controllers/test/test_cluster_controller.py ........................                                                                                                                                [ 13%]
api/api/controllers/test/test_decoder_controller.py .......                                                                                                                                                 [ 14%]
api/api/controllers/test/test_default_controller.py .                                                                                                                                                       [ 14%]
api/api/controllers/test/test_event_controller.py .                                                                                                                                                         [ 14%]
api/api/controllers/test/test_experimental_controller.py ...............                                                                                                                                    [ 17%]
api/api/controllers/test/test_manager_controller.py .....................                                                                                                                                   [ 21%]
api/api/controllers/test/test_mitre_controller.py .......                                                                                                                                                   [ 22%]
api/api/controllers/test/test_overview_controller.py .                                                                                                                                                      [ 22%]
api/api/controllers/test/test_rootcheck_controller.py ....                                                                                                                                                  [ 23%]
api/api/controllers/test/test_rule_controller.py ........                                                                                                                                                   [ 24%]
api/api/controllers/test/test_sca_controller.py ..                                                                                                                                                          [ 25%]
api/api/controllers/test/test_security_controller.py ...................................................                                                                                                    [ 34%]
api/api/controllers/test/test_syscheck_controller.py ....                                                                                                                                                   [ 34%]
api/api/controllers/test/test_syscollector_controller.py .........                                                                                                                                          [ 36%]
api/api/controllers/test/test_task_controller.py .                                                                                                                                                          [ 36%]
api/api/models/test/test_model.py ..............................                                                                                                                                            [ 41%]
api/api/test/test_alogging.py ......................                                                                                                                                                        [ 45%]
api/api/test/test_authentication.py ...........                                                                                                                                                             [ 47%]
api/api/test/test_configuration.py .............................................                                                                                                                            [ 55%]
api/api/test/test_encoder.py ...                                                                                                                                                                            [ 56%]
api/api/test/test_middlewares.py ...............                                                                                                                                                            [ 58%]
api/api/test/test_signals.py .........                                                                                                                                                                      [ 60%]
api/api/test/test_uri_parser.py ...                                                                                                                                                                         [ 60%]
api/api/test/test_util.py ...............................................                                                                                                                                   [ 69%]
api/api/test/test_validator.py ............................................................................................................................................................................ [ 99%]
....                                                                                                                                                                                                        [100%]

================================================================================================ warnings summary =================================================================================================
test/test_signals.py::test_register_background_tasks[True-True-2]
  /home/fdalmau/git/wazuh/api/api/signals.py:110: RuntimeWarning: coroutine 'AsyncMockMixin._execute_mock_call' was never awaited
    task.cancel()
  Enable tracemalloc to get traceback where the object was allocated.
  See https://docs.pytest.org/en/stable/how-to/capture-warnings.html#resource-warnings for more info.

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
========================================================================================= 569 passed, 1 warning in 4.97s ==========================================================================================

The update did not generate any errors in the tests. The Warning that can be seen was introduced in #19952.

Packages generation

Following, are the results of generating the packages for the amd64 and the aarch64 architectures.

amd64

Wazuh installation 
Successfully installed Cython-0.29.21 Flask-2.2.5 Jinja2-3.0.0 MarkupSafe-2.1.2 PyYAML-5.4.1 SQLAlchemy-2.0.23 Werkzeug-2.2.3 aiohttp-3.9.1 aiohttp-cache-2.2.0 aiohttp-cors-0.7.0 aiohttp-jinja2-1.5.1 aioredis-1.3.1 aiosignal-1.2.0 asn1crypto-1.3.0 async-timeout-4.0.2 attrs-20.3.0 azure-common-1.1.25 azure-storage-blob-2.1.0 azure-storage-common-2.1.0 boto3-1.17.85 botocore-1.20.85 cachetools-4.1.0 certifi-2023.7.22 cffi-1.15.1 chardet-3.0.4 charset-normalizer-2.0.4 click-8.1.3 clickclick-20.10.2 connexion-2.14.2 cryptography-41.0.7 defusedxml-0.6.0 docker-6.0.0 docker-pycreds-0.4.0 docutils-0.15.2 ecdsa-0.18.0 envparse-0.2.0 frozenlist-1.2.0 future-0.18.3 google-api-core-1.30.0 google-auth-1.28.0 google-cloud-core-1.7.1 google-cloud-pubsub-2.7.1 google-cloud-storage-1.39.0 google-crc32c-1.1.2 google-resumable-media-1.3.1 googleapis-common-protos-1.51.0 greenlet-2.0.2 grpc-google-iam-v1-0.12.3 grpcio-1.58.0 hiredis-2.2.3 idna-2.9 importlib-metadata-3.10.1 inflection-0.3.1 itsdangerous-2.0.0 jmespath-0.9.5 jsonschema-2.6.0 libcst-0.3.20 more-itertools-8.2.0 multidict-5.2.0 mypy-extensions-0.4.3 numpy-1.26.0 openapi-spec-validator-0.2.6 packaging-20.9 pathlib-1.0.1 proto-plus-1.19.0 protobuf-3.19.6 psutil-5.9.0 pyarrow-14.0.1 pyasn1-0.4.8 pyasn1-modules-0.2.8 pycparser-2.21 pyparsing-2.4.7 python-dateutil-2.8.1 python-jose-3.1.0 python-json-logger-2.0.2 pytz-2020.1 requests-2.31.0 rsa-4.7.2 s3transfer-0.4.2 secure-0.2.1 six-1.16.0 tabulate-0.8.9 typing-extensions-4.5.0 typing-inspect-0.7.1 urllib3-1.26.18 uvloop-0.17.0 websocket-client-0.57.0 wheel-0.38.4 xmltodict-0.12.0 yarl-1.7.0 zipp-3.3.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../framework && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/framework
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: wazuh
  Building wheel for wazuh (pyproject.toml) ... done
  Created wheel for wazuh: filename=wazuh-4.8.2-py3-none-any.whl size=296434 sha256=750bef747cc7e5452f7b64f5d1099dddb1c4a55a76e71ccdbd1c5dcfb8731610
  Stored in directory: /tmp/pip-ephem-wheel-cache-iv3h_o3x/wheels/fe/47/7c/2c289aea2e8a5cc5ac8936e5cecbbfc0bdd996d57bb70da19a
Successfully built wazuh
Installing collected packages: wazuh
Successfully installed wazuh-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
chown -R root:wazuh /var/ossec/framework/python
chmod -R o=- /var/ossec/framework/python
cd ../api && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/api
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: api
  Building wheel for api (pyproject.toml) ... done
  Created wheel for api: filename=api-4.8.2-py3-none-any.whl size=160765 sha256=947e0ede2b134a4b4345c3598dde60ffb0301287e9999f189529af97d1dfcc87
  Stored in directory: /tmp/pip-ephem-wheel-cache-6zogcs_f/wheels/2c/ed/d5/5358cdcfa6f68fc41b8ca02118521c75da82e9ec6d16f50822
Successfully built api
Installing collected packages: api
Successfully installed api-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../tools/mitre && /var/ossec/framework/python/bin/python3 mitredb.py -d /var/ossec/var/db/mitre.db
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libjemalloc.so.2’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/librouter.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libcontent_manager.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libvulnerability_scanner.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libindexer_connector.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/librocksdb.so.8’
Generating self-signed certificate for wazuh-authd...


 - System is Redhat Linux.
 - Init script modified to start Wazuh during boot.
Starting Wazuh...
server
2024/01/29 14:52:32 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 14:52:32 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.8.2...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/01/29 14:52:34 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/01/29 14:52:37 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 14:52:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---


 - In order to connect agent and server, you need to add each agent to the server.

   More information at: 
   https://documentation.wazuh.com/
OS information 
[root@d2d47bec9906 external]# uname -m
x86_64
[root@d2d47bec9906 external]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
Package information 
[root@d2d47bec9906 external]# /var/ossec/framework/python/bin/pip3 show ecdsa
Name: ecdsa
Version: 0.18.0
Summary: ECDSA cryptographic signature library (pure python)
Home-page: http://github.com/tlsfuzzer/python-ecdsa
Author: Brian Warner
Author-email: warner@lothar.com
License: MIT
Location: /var/ossec/framework/python/lib/python3.10/site-packages
Requires: six
Required-by: python-jose

aarch64

Wazuh installation 
Successfully installed Cython-0.29.21 Flask-2.2.5 Jinja2-3.0.0 MarkupSafe-2.1.2 PyYAML-5.4.1 SQLAlchemy-2.0.23 Werkzeug-2.2.3 aiohttp-3.9.1 aiohttp-cache-2.2.0 aiohttp-cors-0.7.0 aiohttp-jinja2-1.5.1 aioredis-1.3.1 aiosignal-1.2.0 asn1crypto-1.3.0 async-timeout-4.0.2 attrs-20.3.0 azure-common-1.1.25 azure-storage-blob-2.1.0 azure-storage-common-2.1.0 boto3-1.17.85 botocore-1.20.85 cachetools-4.1.0 certifi-2023.7.22 cffi-1.15.1 chardet-3.0.4 charset-normalizer-2.0.4 click-8.1.3 clickclick-20.10.2 connexion-2.14.2 cryptography-41.0.7 defusedxml-0.6.0 docker-6.0.0 docker-pycreds-0.4.0 docutils-0.15.2 ecdsa-0.18.0 envparse-0.2.0 frozenlist-1.2.0 future-0.18.3 google-api-core-1.30.0 google-auth-1.28.0 google-cloud-core-1.7.1 google-cloud-pubsub-2.7.1 google-cloud-storage-1.39.0 google-crc32c-1.1.2 google-resumable-media-1.3.1 googleapis-common-protos-1.51.0 greenlet-2.0.2 grpc-google-iam-v1-0.12.3 grpcio-1.58.0 hiredis-2.2.3 idna-2.9 importlib-metadata-3.10.1 inflection-0.3.1 itsdangerous-2.0.0 jmespath-0.9.5 jsonschema-2.6.0 libcst-0.3.20 more-itertools-8.2.0 multidict-5.2.0 mypy-extensions-0.4.3 numpy-1.26.0 openapi-spec-validator-0.2.6 packaging-20.9 pathlib-1.0.1 proto-plus-1.19.0 protobuf-3.19.6 psutil-5.9.0 pyarrow-14.0.1 pyasn1-0.4.8 pyasn1-modules-0.2.8 pycparser-2.21 pyparsing-2.4.7 python-dateutil-2.8.1 python-jose-3.1.0 python-json-logger-2.0.2 pytz-2020.1 requests-2.31.0 rsa-4.7.2 s3transfer-0.4.2 secure-0.2.1 six-1.16.0 tabulate-0.8.9 typing-extensions-4.5.0 typing-inspect-0.7.1 urllib3-1.26.18 uvloop-0.17.0 websocket-client-0.57.0 wheel-0.38.4 xmltodict-0.12.0 yarl-1.7.0 zipp-3.3.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../framework && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/framework
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: wazuh
  Building wheel for wazuh (pyproject.toml) ... done
  Created wheel for wazuh: filename=wazuh-4.8.2-py3-none-any.whl size=296434 sha256=3f2b1608db7add4155cf5d90b504614a128d44b78ee71cefe8a037e80e03c392
  Stored in directory: /tmp/pip-ephem-wheel-cache-f1n9ptr0/wheels/fe/47/7c/2c289aea2e8a5cc5ac8936e5cecbbfc0bdd996d57bb70da19a
Successfully built wazuh
Installing collected packages: wazuh
Successfully installed wazuh-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
chown -R root:wazuh /var/ossec/framework/python
chmod -R o=- /var/ossec/framework/python
cd ../api && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/api
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: api
  Building wheel for api (pyproject.toml) ... done
  Created wheel for api: filename=api-4.8.2-py3-none-any.whl size=160765 sha256=aa2c933bccc70a937ee0c5694a7a2017f0c75dea0087da2fb2f4af2338246d5a
  Stored in directory: /tmp/pip-ephem-wheel-cache-93jlwl7a/wheels/2c/ed/d5/5358cdcfa6f68fc41b8ca02118521c75da82e9ec6d16f50822
Successfully built api
Installing collected packages: api
Successfully installed api-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../tools/mitre && /var/ossec/framework/python/bin/python3 mitredb.py -d /var/ossec/var/db/mitre.db
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libjemalloc.so.2'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/librouter.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libcontent_manager.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libvulnerability_scanner.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libindexer_connector.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/librocksdb.so.8'
Generating self-signed certificate for wazuh-authd...


 - System is Redhat Linux.
 - Init script modified to start Wazuh during boot.
Starting Wazuh...
server
2024/01/29 18:54:14 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 18:54:14 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.8.2...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/01/29 18:54:28 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/01/29 18:54:38 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 18:54:38 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---

 - In order to connect agent and server, you need to add each agent to the server.

   More information at: 
   https://documentation.wazuh.com/
OS information 
[root@9e4da4771bc9 python]# uname -m
aarch64
[root@9e4da4771bc9 python]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
Package information 
[root@9e4da4771bc9 python]# /var/ossec/framework/python/bin/pip3 show ecdsa
Name: ecdsa
Version: 0.18.0
Summary: ECDSA cryptographic signature library (pure python)
Home-page: http://github.com/tlsfuzzer/python-ecdsa
Author: Brian Warner
Author-email: warner@lothar.com
License: MIT
Location: /var/ossec/framework/python/lib/python3.10/site-packages
Requires: six
Required-by: python-jose

Next steps

  • Upload the generated packages to run some AITs.

@Selutario Selutario changed the title Upgrade ecdsa to a version >= 0.18 Upgrade ecdsa to a version > 0.18 Jan 30, 2024
@fdalmaup
Copy link
Member

fdalmaup commented Jan 30, 2024
edited

Issue Update

Vulnerability status

The complete description of the vulnerability was overlooked since it states: The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix., i.e., there are no updates that fix the vulnerability. Moreover, the package was not designed with security in mind, as can be checked in an issue in the python-jose package repository (mpdavis/python-jose#341).

Next steps

We should replace and remove the dependencies for ecdsa and python-jose since:

  • The ecdsa package will not patch this vulnerability and its goal is not to be used in a production environment.
  • The python-jose package is not being maintained and no official release has been published since June 2021.

The package candidate to be used is PyJWT, which python-jose was based on. An issue will be opened to investigate the module, analyze the necessary changes, and the modification of our dependencies.

@fdalmaup fdalmaup mentioned this issue Jan 30, 2024
Closed
4 tasks
@GGP1
Copy link
Member

GGP1 commented Jan 30, 2024

Review

The vulnerability reported by the issue has no fix and the mantainers have no plans to resolve it. I agree with the conclusion of removing these packages and replacing them with a production-ready, security-aware and up-to-date one like PyJWT. LGTM!

@dreambeyondorange dreambeyondorange mentioned this issue Feb 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fdalmaup fdalmaup

Labels
level/task team/framework type/bug/vulnerability Exploitable vulnerability
Projects
Release 4.9.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Selutario @fdalmaup @GGP1 @EduLeon12