Closed sraipurkar closed 1 year ago
@sraipurkar, could you please report the specific vulnerabilities? We might be able to use a different version of vtk and pillow to address this.
For everyone's information regarding the critical vulnerabilities:
I think we should be able to resolve this by either downgrading to an older version or waiting until they fix these issues upstream. I'll keep everyone posted as I dig into this.
There are really libraries that we need to worry about:
zlib <1.2.12
- CVE-2022-37434 CVE-2018-25032libtiff < 4.5.0
- CVE-2022-3970Applicable upstream issues for CVE-2022-37434
Applicable upstream issues for CVE-2022-3970
Mitigations
h5py
- @seanpearsonuk, is it possible to make h5py optional?~ False positive. See https://github.com/h5py/h5py/issues/2254pillow
- This can be made optional within pyvista in https://github.com/pyvista/pyvista/issues/4336. I expect this to be resolved soon and out in pyvista==0.39.0
in a week or two.~ This was resolved in v4.5.0. See https://gitlab.com/libtiff/libtiff/-/issues/551, and also CVE-2022-3970, which states that it's upto and excluding v4.5.0wheel
is not used during runtime, only when building the package. Same with setuptools
and pip
. These are all required for initial installation, but do not need to be there for the deployment.vtk
- PyVista automatically imports the TIFF library, but you can actually just delete that DLL in the deployment as soon as https://github.com/pyvista/pyvista/pull/4337 is merged and pyvista==0.39.0
is released.All in all, I think we can actually resolve fairly soon provided we can work around h5py
.
The version of zlib is a build time choice, the most expedient path will be to install h5py from source (I am assuming it came from pip?) rather from the wheels.
That would mean you have to provide your own libhdf5 + zlib. https://github.com/h5py/h5py/blob/7893c57e0f12e11a936dd137369ff062eaa9bec5/ci/get_hdf5_win.py is how we build libhdf5 for the wheels and it looks like we pull zlib from nuget https://github.com/h5py/h5py/blob/7893c57e0f12e11a936dd137369ff062eaa9bec5/ci/azure-pipelines-wheels.yml#L26-L32
Per https://github.com/h5py/h5py/issues/2254#issuecomment-1522499010 I think this is a false positive.
Not sure it makes sense to have h5py
optional. Another strategy would be to move the case reader capability to a new OSS package. pyfluent-reader
say. This might be more consistent with our goal to keep the core library free of dependencies, which helps avoid issues like this.
Not sure it makes sense to have
h5py
optional. Another strategy would be to move the case reader capability to a new OSS package.pyfluent-reader
say. This might be more consistent with our goal to keep the core library free of dependencies, which helps avoid issues like this.
Yes that seems like a good option
OK - Can someone confirm that this is how the team will proceed (and what sort of path and timeline is associated)? We need resolutions for customer deployments.
Is that still required, @ansSReuss ? My understanding is that we are OK to include h5py in the core dependencies.
Is that still required, @ansSReuss ? My understanding is that we are OK to include h5py in the core dependencies.
Because of this?
Per h5py/h5py#2254 (comment) I think this is a false positive.
Yes, that's right. The hdf5 CVE is a false positive.
The other things will be updated as mentioned by akaszynski.
PyVista v0.39.0 is out. This should address any outstanding OSS vulnerabilities. Let's keep this issue live until we've verified they've been resolved.
@akaszynski should we try to update https://github.com/pyansys/pyfluent-visualization/blob/main/pyproject.toml right now?
We currently have pyvista = ">=0.33.2"
set there.
@akaszynski should we try to update https://github.com/pyansys/pyfluent-visualization/blob/main/pyproject.toml right now? We currently have
pyvista = ">=0.33.2"
set there.
I'd do it.
FYI, VTK solved the zlib CVE. Please see https://gitlab.kitware.com/vtk/vtk/-/issues/18962
@akaszynski should we try to update https://github.com/pyansys/pyfluent-visualization/blob/main/pyproject.toml right now? We currently have
pyvista = ">=0.33.2"
set there.I'd do it.
FYI, VTK solved the zlib CVE. Please see https://gitlab.kitware.com/vtk/vtk/-/issues/18962
@raph-luc, Would you like to take care of it?
@seanpearsonuk @raph-luc, Would you like to take care of it?
Sure
Going to keep this issue open as a reminder, until the VTK release with the fix for CVE-2022-37434 is available to update our dependencies
should this not be an issue on the viz repo?
This issue is completely resolved now.
by this it seems: https://github.com/ansys/pyfluent-visualization/pull/263
Thanks @dnwillia @dnwillia-work
I linked it
@seanpearsonuk Sorry I wasn't clear: I was keeping this issue open as a reminder of the VTK zlib vulnerability that hasn't yet made it to a release, this is the commit to VTK that fixed it: https://gitlab.kitware.com/vtk/vtk/-/commit/e0ba55ffcaa82114fbb4441d6e82b3f32c666bd7
In my understanding we still need to update our VTK dependency once that fix makes it to a release there (probably going to be VTK 9.2.7)
I am going to open an issue on the pyfluent-visualization repo to track this, as I agree with @dnwillia that is a better place for it
What about CVE-2021-37501 (https://nvd.nist.gov/vuln/detail/CVE-2021-37501) and CVE-2018-25032 (https://nvd.nist.gov/vuln/detail/CVE-2018-25032) ?
@landon-kanner
As discussed above, CVE-2021-37501 for hdf5 seems to have been a false positive, the link you shared https://nvd.nist.gov/vuln/detail/CVE-2021-37501 also says "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis".
CVE-2018-25032 is also related to older zlib versions like CVE-2022-37434, should also be fixed once VTK releases its next version, with our dependencies updated through pyfluent-visualization
as currently being tracked here: https://github.com/ansys/pyfluent-visualization/issues/289
Thanks @raph-luc
As discussed above, CVE-2021-37501 for hdf5 seems to have been a false positive, the link you shared https://nvd.nist.gov/vuln/detail/CVE-2021-37501 also says "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis".
I see where CVE-2022-37434 is discussed and documented as a false positive, but I don't see anything showing that CVE-2021-37501 is a false positive. Can you share a link please?
CVE-2018-25032 is also related to older zlib versions like CVE-2022-37434, should also be fixed once VTK releases its next version, with our dependencies updated through
pyfluent-visualization
as currently being tracked here: ansys/pyfluent-visualization#289
Due to CVE-2018-25032, is if fair to say that pyfluent's dependency tree still has known vulnerabilities, at least until VTK releases its next version?
pyfluent does not have known vulnerabilities but pyfluent-visualization does. Best to move the discussion here to that repo: https://github.com/ansys/pyfluent-visualization/issues/289
I see where CVE-2022-37434 is discussed and documented as a false positive, but I don't see anything showing that CVE-2021-37501 is a false positive. Can you share a link please?
Thank you @landon-kanner, the link you shared read to me like that vulnerability is/was being re-evaluated: "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis" https://nvd.nist.gov/vuln/detail/CVE-2021-37501, and I did think it was related to the hdf5/h5py CVE already discussed, but seems like that isn't quite the case, you are right.
Due to CVE-2018-25032, is if fair to say that pyfluent's dependency tree still has known vulnerabilities, at least until VTK releases its next version?
As @dnwillia said, for CVE-2018-25032, not pyfluent, but pyfluent-visualization. It is a different repository and package, and pyfluent does not always use it.
@dnwillia @seanpearsonuk I think we still need clarification on CVE-2021-37501 which seems to not have been fully addressed yet (it was also originally identified above in the image in https://github.com/ansys/pyfluent/issues/1552#issuecomment-1522274223 but not further discussed), I can confirm we are currently using h5py
which on PyPI is compiled against hdf5
1.12.2 which seems to be affected and use h5dump
.
Looks like the solutions would be to build h5py
from source with a newer hdf5
version as in https://github.com/ansys/pyfluent/issues/1552#issuecomment-1522465028, or reevaluate/move the case reader functionality to a separate and optional pyfluent-reader
package as suggested by @dnwillia.
We could create a separate reader package. Does everyone agree to that as the way forward?
Was investigating and I am not yet 100% sure whether our usage is affected by h5dump (this might indeed be a false positive).
Regardless, to avoid future issues like this, rather than separating the reader into a new package, another (I believe less cumbersome) option as previously mentioned would be to make h5py
an optional dependency, such as in https://setuptools.pypa.io/en/latest/userguide/dependency_management.html#optional-dependencies
Users would then need to install it separately or specify e.g. pip install pyfluent[h5py]
if they want to make use of h5py
, and it wouldn't be the default pyfluent
installation. If the user does not install h5py
, I believe the only difference is that the case reader would not work. Thoughts @seanpearsonuk ?
I found that the symbol h5tools_str_sprint under CVE-2021-37501 is part of a different hdf5_tools.dll which is not installed with h5py.
h5dump
is a command line tool that neither we nor h5py
seem to use (they only list its usage as part of a single example).
Related to what @mkundu1 found, it seems that h5dump
which is part of hdf5_tools
is not even installed by default on Windows due to this commit: https://github.com/h5py/h5py/commit/4086ac2518fd8457fc146c3de0a1d3b2df4f7d49
I also don't find the symbol h5tools_str_sprint within a linux installation of h5py/pyfluent.
Thanks @mkundu1, same, also can't find any instance of dump
nor tools
on a Linux install.
As far as I can tell CVE-2021-37501 is false positive on pyfluent
, going to go ahead and close this issue tracker. Please let us know if anyone has any additional concerns.
For remaining zlib vulnerabilities CVE-2018-25032 and CVE-2022-37434, they do not affect pyfluent
and are being tracked here for pyfluent-visualization
: https://github.com/ansys/pyfluent-visualization/issues/289
As @landon-kanner identified, it seems that https://nvd.nist.gov/vuln/detail/CVE-2018-25032 is not only an issue for older VTK versions, but also for current h5py
release.
On Windows, a current pyfluent install ends up with Lib\site-packages\h5py\zlib.dll
that is zlib
version 1.2.11 and affected by this vulnerability. This is not an issue on Linux. See also https://github.com/h5py/h5py/issues/2261.
This could still be a false positive as I believe we are only using decompression to read files, and not compression/deflation.
Regardless, the changes proposed in https://github.com/ansys/pyfluent/issues/2096 (to support Python 3.12) should already work around this vulnerability, as the h5py
dependency will then be moved to an optional separate package, and won't affect the pyfluent core package anymore.
Edit: As a short term solution, we can make h5py
optional in PyFluent and not installed by default as mentioned in https://github.com/ansys/pyfluent/issues/1552#issuecomment-1654059912
Confirmed as resolved with @landon-kanner, for PyFluent version 0.18.1 and above
🐞 Description
We ran an OSS scan for one of the solution in which we are using ansys-fluent-core and ansys-fluent-visualization package. In the scan report we found some critical and high vulnerabilities. A detailed vulnerability report has been attached.
Report Summary :
**1. ansys-fluent-core --> Critical : 1 & High: 2
-ansys-fluent-core -h5py (vulnerabilities)
-ansys-fluent-vizualization -pyvista -pillow (vulnerabilities) -vtk (vulnerabilities)
📝 Steps to reproduce
Scan for all the dependencies used in ansys-fluent-core and ansys-fluent-visualization package using OSS software (revenera | code insight).
💻 Which operating system are you using?
Windows
📀 Which ANSYS version are you using?
ansys-fluent-core == 0.12.5 ansys-fluent-visualization == 0.6.0
🐍 Which Python version are you using?
3.8
📦 Installed packages