search

dhiaayachi / temporal

Temporal service
https://docs.temporal.io
MIT License
0 stars 0 forks source link

Addressing a lot of security vulnerabilities in the latest Temporal server release 1.23.0 #160

Open dhiaayachi opened 3 months ago

dhiaayachi commented 3 months ago

Expected Behavior

There is no CVE found in the temporalio/server image.

Actual Behavior

There are 27 vulnerabilities found for image temporalio/server:1.23.0, including 5 high, 19 medium and 3 low CVEs.

Scan results:

Scan results for: image temporalio/server:1.23.0 sha256:5ace4dfce78a30f760d9a0550dceef17e47fac11374e83d85a2762cde767ea41
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                                   PACKAGE                                   |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325   | high     | 7.50 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | A malicious HTTP/2 client which rapidly creates    |
|                  |          |      |                                                                             |                                       | 51 days ago                     |            |            | requests and immediately resets them can cause     |
|                  |          |      |                                                                             |                                       |                                 |            |            | excessive server resource consumption. While the   |
|                  |          |      |                                                                             |                                       |                                 |            |            | total ...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | google.golang.org/grpc                                                      | v1.53.0                               | fixed in 1.58.3, 1.57.1, 1.56.3 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                                                  | v1.9.0                                | fixed in v1.9.3                 | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                                             |                                       |                                 |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                                             |                                       |                                 |            |            | without new...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                                                        | 1.3.1-r0                              |                                 | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                                             |                                       |                                 |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                                             |                                       |                                 |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                                             |                                       |                                 |            |            | (deflate.c)...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                                             |                                       |                                 |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | awk.c copyvar function.                            |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                                             |                                       |                                 |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                                             |                                       |                                 |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                                             |                                       |                                 |            |            | funct...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                                             |                                       |                                 |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435    | moderate | 4.30 | github.com/temporalio/ui-server/v2                                          | v2.21.3                               | fixed in 2.25.0                 | 14 days    | < 1 hour   | For an attacker with pre-existing access to send   |
|                  |          |      |                                                                             |                                       | 14 days ago                     |            |            | a signal to a workflow, the attacker can make the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | signal name a script that executes when a victim   |
|                  |          |      |                                                                             |                                       |                                 |            |            | vi...                                              |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180   | moderate | 0.00 | gopkg.in/square/go-jose.v2                                                  | v2.6.0                                | fixed in                        | 39 days    | < 1 hour   | Package jose aims to provide an implementation     |
|                  |          |      |                                                                             |                                       | 32 days ago                     |            |            | of the Javascript Object Signing and Encryption    |
|                  |          |      |                                                                             |                                       |                                 |            |            | set of standards. An attacker could send a JWE     |
|                  |          |      |                                                                             |                                       |                                 |            |            | containi...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize                                   | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3                                            | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn                                              | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.22.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | net/http                                                                    | 1.22.1                                | fixed in 1.21.9, 1.22.2         | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.18.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.00 | go.temporal.io/server                                                       | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 9 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                                                                             |                                       | > 9 months ago                  |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                                                                             |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                                                                             |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629   | low      | 0.00 | c-ares                                                                      | 1.24.0-r1                             | fixed in 1.27.0-r0              | 53 days    | < 1 hour   | c-ares is a C library for asynchronous DNS         |
|                  |          |      |                                                                             |                                       | 22 days ago                     |            |            | requests. `ares__read_line()` is used to           |
|                  |          |      |                                                                             |                                       |                                 |            |            | parse local configuration files such as            |
|                  |          |      |                                                                             |                                       |                                 |            |            | `/etc/resolv.conf`, `/etc/...                      |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                                                     | 3.1.4-r5                              | fixed in 3.1.4-r6               | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                                             |                                       | 7 days ago                      |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                                             |                                       |                                 |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                                             |                                       |                                 |            |            | An attac...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/server:1.23.0: total - 27, critical - 0, high - 5, medium - 19, low - 3
Vulnerability threshold check results: PASS

Compliance found for image temporalio/server:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS

Steps to Reproduce the Problem

  1. Pull the latest image temporalio/server:1.23.0 from Dockerhub
  2. Scan the image with any vulnerability scanner

Specifications

dhiaayachi commented 2 months ago

Thank you for reporting this. The Temporal Server image is known to contain vulnerabilities, and we are actively working on addressing these issues in future releases.

The vulnerabilities discovered are not directly related to Temporal core functionality, but rather stem from dependencies used by the server.

For more information on the vulnerabilities and mitigations, please see the vulnerability disclosure policy on our Knowledge Base.

You can also track the progress of fixes by subscribing to the Temporal Server release notes.