Closed x448 closed 4 years ago
We should switch CBOR library to fix this issue per this issue on Device SDK https://github.com/edgexfoundry/device-sdk-go/issues/471
Fix should also include updating to latest go-mod-core-contracts for this PR https://github.com/edgexfoundry/go-mod-core-contracts/pull/233
Related PR on swapping the CBOR module used: https://github.com/edgexfoundry/edgex-go/pull/2490
Brian McGinn from Intel will be working on this issue.
Decoding 9-10 bytes of malformed CBOR data can cause exhaust memory and cause:
Only 1 decode attempt of 9 bytes is required to exhaust memory.
cc @lenny-intel @rsdmike
Relevant Code
internal/runtime/runtime.go
🔥 Error (fatal error: out of memory)
For info about CBOR and security, see Section 8 of RFC 7049 (Security Considerations).
For more comparisons, see fxamacker/cbor.
Description and Minimal Reproduction
In October 2013, RFC 7049 (CBOR) Section 8 (Security Considerations) warned that malformed CBOR data can be used to exhaust system resources.
In September 2019, oasislabs/oasis-core discovered tiny CBOR data could exhaust memory so they switched to a more secure and maintainable CBOR library.
In February 2020, smartcontractkit/chainlink found and fixed CBOR security issue(s) in
a GitHub PR titled "Switch to more secure CBOR library".
Both projects were using same CBOR library (ugorji/go) as edgexfoundry/app-functions-sdk-go.
To reproduce, decode 9-byte or 10-byte malformed CBOR data described in Section 8 of RFC 7049.
Examples of malformed CBOR data that can exhaust memory can be found on GitHub since September 2019 (or possibly earlier if you look beyond Go projects).