-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade ecdsa to a version > 0.18 #21590
Comments
Issue UpdateThe dependency tree for the Dependency tree
Note Although the installed version of As can be checked, the wazuh/api/api/authentication.py Line 15 in cc9fd47
API Unit Tests$ pytest api/api
=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.10.13, pytest-7.3.1, pluggy-1.3.0
rootdir: /home/fdalmau/git/wazuh/api/api
configfile: pytest.ini
plugins: metadata-3.0.0, cov-3.0.0, aiohttp-1.0.4, trio-0.7.0, tavern-1.23.5, asyncio-0.18.1, html-2.1.1
asyncio: mode=auto
collected 569 items
api/api/controllers/test/test_active_response_controller.py . [ 0%]
api/api/controllers/test/test_agent_controller.py ............................................ [ 7%]
api/api/controllers/test/test_cdb_list_controller.py ...... [ 8%]
api/api/controllers/test/test_ciscat_controller.py . [ 9%]
api/api/controllers/test/test_cluster_controller.py ........................ [ 13%]
api/api/controllers/test/test_decoder_controller.py ....... [ 14%]
api/api/controllers/test/test_default_controller.py . [ 14%]
api/api/controllers/test/test_event_controller.py . [ 14%]
api/api/controllers/test/test_experimental_controller.py ............... [ 17%]
api/api/controllers/test/test_manager_controller.py ..................... [ 21%]
api/api/controllers/test/test_mitre_controller.py ....... [ 22%]
api/api/controllers/test/test_overview_controller.py . [ 22%]
api/api/controllers/test/test_rootcheck_controller.py .... [ 23%]
api/api/controllers/test/test_rule_controller.py ........ [ 24%]
api/api/controllers/test/test_sca_controller.py .. [ 25%]
api/api/controllers/test/test_security_controller.py ................................................... [ 34%]
api/api/controllers/test/test_syscheck_controller.py .... [ 34%]
api/api/controllers/test/test_syscollector_controller.py ......... [ 36%]
api/api/controllers/test/test_task_controller.py . [ 36%]
api/api/models/test/test_model.py .............................. [ 41%]
api/api/test/test_alogging.py ...................... [ 45%]
api/api/test/test_authentication.py ........... [ 47%]
api/api/test/test_configuration.py ............................................. [ 55%]
api/api/test/test_encoder.py ... [ 56%]
api/api/test/test_middlewares.py ............... [ 58%]
api/api/test/test_signals.py ......... [ 60%]
api/api/test/test_uri_parser.py ... [ 60%]
api/api/test/test_util.py ............................................... [ 69%]
api/api/test/test_validator.py ............................................................................................................................................................................ [ 99%]
.... [100%]
================================================================================================ warnings summary =================================================================================================
test/test_signals.py::test_register_background_tasks[True-True-2]
/home/fdalmau/git/wazuh/api/api/signals.py:110: RuntimeWarning: coroutine 'AsyncMockMixin._execute_mock_call' was never awaited
task.cancel()
Enable tracemalloc to get traceback where the object was allocated.
See https://docs.pytest.org/en/stable/how-to/capture-warnings.html#resource-warnings for more info.
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
========================================================================================= 569 passed, 1 warning in 4.97s ========================================================================================== The update did not generate any errors in the tests. The Warning that can be seen was introduced in #19952. Packages generationFollowing, are the results of generating the packages for the amd64Wazuh installationSuccessfully installed Cython-0.29.21 Flask-2.2.5 Jinja2-3.0.0 MarkupSafe-2.1.2 PyYAML-5.4.1 SQLAlchemy-2.0.23 Werkzeug-2.2.3 aiohttp-3.9.1 aiohttp-cache-2.2.0 aiohttp-cors-0.7.0 aiohttp-jinja2-1.5.1 aioredis-1.3.1 aiosignal-1.2.0 asn1crypto-1.3.0 async-timeout-4.0.2 attrs-20.3.0 azure-common-1.1.25 azure-storage-blob-2.1.0 azure-storage-common-2.1.0 boto3-1.17.85 botocore-1.20.85 cachetools-4.1.0 certifi-2023.7.22 cffi-1.15.1 chardet-3.0.4 charset-normalizer-2.0.4 click-8.1.3 clickclick-20.10.2 connexion-2.14.2 cryptography-41.0.7 defusedxml-0.6.0 docker-6.0.0 docker-pycreds-0.4.0 docutils-0.15.2 ecdsa-0.18.0 envparse-0.2.0 frozenlist-1.2.0 future-0.18.3 google-api-core-1.30.0 google-auth-1.28.0 google-cloud-core-1.7.1 google-cloud-pubsub-2.7.1 google-cloud-storage-1.39.0 google-crc32c-1.1.2 google-resumable-media-1.3.1 googleapis-common-protos-1.51.0 greenlet-2.0.2 grpc-google-iam-v1-0.12.3 grpcio-1.58.0 hiredis-2.2.3 idna-2.9 importlib-metadata-3.10.1 inflection-0.3.1 itsdangerous-2.0.0 jmespath-0.9.5 jsonschema-2.6.0 libcst-0.3.20 more-itertools-8.2.0 multidict-5.2.0 mypy-extensions-0.4.3 numpy-1.26.0 openapi-spec-validator-0.2.6 packaging-20.9 pathlib-1.0.1 proto-plus-1.19.0 protobuf-3.19.6 psutil-5.9.0 pyarrow-14.0.1 pyasn1-0.4.8 pyasn1-modules-0.2.8 pycparser-2.21 pyparsing-2.4.7 python-dateutil-2.8.1 python-jose-3.1.0 python-json-logger-2.0.2 pytz-2020.1 requests-2.31.0 rsa-4.7.2 s3transfer-0.4.2 secure-0.2.1 six-1.16.0 tabulate-0.8.9 typing-extensions-4.5.0 typing-inspect-0.7.1 urllib3-1.26.18 uvloop-0.17.0 websocket-client-0.57.0 wheel-0.38.4 xmltodict-0.12.0 yarl-1.7.0 zipp-3.3.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../framework && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/framework
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: wazuh
Building wheel for wazuh (pyproject.toml) ... done
Created wheel for wazuh: filename=wazuh-4.8.2-py3-none-any.whl size=296434 sha256=750bef747cc7e5452f7b64f5d1099dddb1c4a55a76e71ccdbd1c5dcfb8731610
Stored in directory: /tmp/pip-ephem-wheel-cache-iv3h_o3x/wheels/fe/47/7c/2c289aea2e8a5cc5ac8936e5cecbbfc0bdd996d57bb70da19a
Successfully built wazuh
Installing collected packages: wazuh
Successfully installed wazuh-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
chown -R root:wazuh /var/ossec/framework/python
chmod -R o=- /var/ossec/framework/python
cd ../api && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/api
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: api
Building wheel for api (pyproject.toml) ... done
Created wheel for api: filename=api-4.8.2-py3-none-any.whl size=160765 sha256=947e0ede2b134a4b4345c3598dde60ffb0301287e9999f189529af97d1dfcc87
Stored in directory: /tmp/pip-ephem-wheel-cache-6zogcs_f/wheels/2c/ed/d5/5358cdcfa6f68fc41b8ca02118521c75da82e9ec6d16f50822
Successfully built api
Installing collected packages: api
Successfully installed api-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../tools/mitre && /var/ossec/framework/python/bin/python3 mitredb.py -d /var/ossec/var/db/mitre.db
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libjemalloc.so.2’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/librouter.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libcontent_manager.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libvulnerability_scanner.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/libindexer_connector.so’
chcon: can't apply partial context to unlabeled file ‘/var/ossec/lib/librocksdb.so.8’
Generating self-signed certificate for wazuh-authd...
- System is Redhat Linux.
- Init script modified to start Wazuh during boot.
Starting Wazuh...
server
2024/01/29 14:52:32 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 14:52:32 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.8.2...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/01/29 14:52:34 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/01/29 14:52:37 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 14:52:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
- Configuration finished properly.
- To start Wazuh:
/var/ossec/bin/wazuh-control start
- To stop Wazuh:
/var/ossec/bin/wazuh-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using Wazuh.
Please don't hesitate to contact us if you need help or find
any bugs.
Use our public Mailing List at:
https://groups.google.com/forum/#!forum/wazuh
More information can be found at:
- http://www.wazuh.com
--- Press ENTER to finish (maybe more information below). ---
- In order to connect agent and server, you need to add each agent to the server.
More information at:
https://documentation.wazuh.com/ OS information[root@d2d47bec9906 external]# uname -m
x86_64
[root@d2d47bec9906 external]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7" Package information[root@d2d47bec9906 external]# /var/ossec/framework/python/bin/pip3 show ecdsa
Name: ecdsa
Version: 0.18.0
Summary: ECDSA cryptographic signature library (pure python)
Home-page: http://github.com/tlsfuzzer/python-ecdsa
Author: Brian Warner
Author-email: warner@lothar.com
License: MIT
Location: /var/ossec/framework/python/lib/python3.10/site-packages
Requires: six
Required-by: python-jose aarch64Wazuh installationSuccessfully installed Cython-0.29.21 Flask-2.2.5 Jinja2-3.0.0 MarkupSafe-2.1.2 PyYAML-5.4.1 SQLAlchemy-2.0.23 Werkzeug-2.2.3 aiohttp-3.9.1 aiohttp-cache-2.2.0 aiohttp-cors-0.7.0 aiohttp-jinja2-1.5.1 aioredis-1.3.1 aiosignal-1.2.0 asn1crypto-1.3.0 async-timeout-4.0.2 attrs-20.3.0 azure-common-1.1.25 azure-storage-blob-2.1.0 azure-storage-common-2.1.0 boto3-1.17.85 botocore-1.20.85 cachetools-4.1.0 certifi-2023.7.22 cffi-1.15.1 chardet-3.0.4 charset-normalizer-2.0.4 click-8.1.3 clickclick-20.10.2 connexion-2.14.2 cryptography-41.0.7 defusedxml-0.6.0 docker-6.0.0 docker-pycreds-0.4.0 docutils-0.15.2 ecdsa-0.18.0 envparse-0.2.0 frozenlist-1.2.0 future-0.18.3 google-api-core-1.30.0 google-auth-1.28.0 google-cloud-core-1.7.1 google-cloud-pubsub-2.7.1 google-cloud-storage-1.39.0 google-crc32c-1.1.2 google-resumable-media-1.3.1 googleapis-common-protos-1.51.0 greenlet-2.0.2 grpc-google-iam-v1-0.12.3 grpcio-1.58.0 hiredis-2.2.3 idna-2.9 importlib-metadata-3.10.1 inflection-0.3.1 itsdangerous-2.0.0 jmespath-0.9.5 jsonschema-2.6.0 libcst-0.3.20 more-itertools-8.2.0 multidict-5.2.0 mypy-extensions-0.4.3 numpy-1.26.0 openapi-spec-validator-0.2.6 packaging-20.9 pathlib-1.0.1 proto-plus-1.19.0 protobuf-3.19.6 psutil-5.9.0 pyarrow-14.0.1 pyasn1-0.4.8 pyasn1-modules-0.2.8 pycparser-2.21 pyparsing-2.4.7 python-dateutil-2.8.1 python-jose-3.1.0 python-json-logger-2.0.2 pytz-2020.1 requests-2.31.0 rsa-4.7.2 s3transfer-0.4.2 secure-0.2.1 six-1.16.0 tabulate-0.8.9 typing-extensions-4.5.0 typing-inspect-0.7.1 urllib3-1.26.18 uvloop-0.17.0 websocket-client-0.57.0 wheel-0.38.4 xmltodict-0.12.0 yarl-1.7.0 zipp-3.3.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../framework && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/framework
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: wazuh
Building wheel for wazuh (pyproject.toml) ... done
Created wheel for wazuh: filename=wazuh-4.8.2-py3-none-any.whl size=296434 sha256=3f2b1608db7add4155cf5d90b504614a128d44b78ee71cefe8a037e80e03c392
Stored in directory: /tmp/pip-ephem-wheel-cache-f1n9ptr0/wheels/fe/47/7c/2c289aea2e8a5cc5ac8936e5cecbbfc0bdd996d57bb70da19a
Successfully built wazuh
Installing collected packages: wazuh
Successfully installed wazuh-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
chown -R root:wazuh /var/ossec/framework/python
chmod -R o=- /var/ossec/framework/python
cd ../api && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /wazuh/api
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: api
Building wheel for api (pyproject.toml) ... done
Created wheel for api: filename=api-4.8.2-py3-none-any.whl size=160765 sha256=aa2c933bccc70a937ee0c5694a7a2017f0c75dea0087da2fb2f4af2338246d5a
Stored in directory: /tmp/pip-ephem-wheel-cache-93jlwl7a/wheels/2c/ed/d5/5358cdcfa6f68fc41b8ca02118521c75da82e9ec6d16f50822
Successfully built api
Installing collected packages: api
Successfully installed api-4.8.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
cd ../tools/mitre && /var/ossec/framework/python/bin/python3 mitredb.py -d /var/ossec/var/db/mitre.db
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libjemalloc.so.2'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/librouter.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libcontent_manager.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libvulnerability_scanner.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libindexer_connector.so'
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/librocksdb.so.8'
Generating self-signed certificate for wazuh-authd...
- System is Redhat Linux.
- Init script modified to start Wazuh during boot.
Starting Wazuh...
server
2024/01/29 18:54:14 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 18:54:14 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.8.2...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/01/29 18:54:28 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/01/29 18:54:38 wazuh-modulesd:router: INFO: Loaded router module.
2024/01/29 18:54:38 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
- Configuration finished properly.
- To start Wazuh:
/var/ossec/bin/wazuh-control start
- To stop Wazuh:
/var/ossec/bin/wazuh-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using Wazuh.
Please don't hesitate to contact us if you need help or find
any bugs.
Use our public Mailing List at:
https://groups.google.com/forum/#!forum/wazuh
More information can be found at:
- http://www.wazuh.com
--- Press ENTER to finish (maybe more information below). ---
- In order to connect agent and server, you need to add each agent to the server.
More information at:
https://documentation.wazuh.com/ OS information[root@9e4da4771bc9 python]# uname -m
aarch64
[root@9e4da4771bc9 python]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7" Package information[root@9e4da4771bc9 python]# /var/ossec/framework/python/bin/pip3 show ecdsa
Name: ecdsa
Version: 0.18.0
Summary: ECDSA cryptographic signature library (pure python)
Home-page: http://github.com/tlsfuzzer/python-ecdsa
Author: Brian Warner
Author-email: warner@lothar.com
License: MIT
Location: /var/ossec/framework/python/lib/python3.10/site-packages
Requires: six
Required-by: python-jose Next steps
|
Issue UpdateVulnerability statusThe complete description of the vulnerability was overlooked since it states: Next stepsWe should replace and remove the dependencies for
The package candidate to be used is PyJWT, which |
ReviewThe vulnerability reported by the issue has no fix and the mantainers have no plans to resolve it. I agree with the conclusion of removing these packages and replacing them with a production-ready, security-aware and up-to-date one like PyJWT. LGTM! |
Description
During the [Week 4] Framework weekly security scan. it was found that ecdsa package has a vulnerability. Therefore, it must be upgraded to avoid it.
CVE-2024-23342
Vulnerability description
https://github.com/wazuh/wazuh/security/dependabot/38
python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the ecdsa.SigningKey.sign_digest() API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.
Weaknesses
Checks
The following elements have been updated or reviewed (should also be checked if no modification is required):
api/test/integration/mapping/_test_mapping.py
).The text was updated successfully, but these errors were encountered: