Resolve High Severity Vulnerabilities

Hello! As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.

Vulnerability	Severity	Image	Package	Description
CVE-2020-29652	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remo[...]
CVE-2021-33194	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/net:v0.0.0-20200822124328-c89045814202	golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via cra[...]
CVE-2021-43565	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH serv[...]
CVE-2022-27191	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in cert[...]
CVE-2022-27664	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/net:v0.0.0-20200822124328-c89045814202	In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection c[...]
CVE-2022-41723	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/net:v0.0.0-20200822124328-c89045814202	A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of [...]
CVE-2023-39325	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/net:v0.0.0-20200822124328-c89045814202	A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consump[...]
CVE-2023-44487	high	us-docker.pkg.dev/vorvan/dev/h2oai-wave-canary312:latest	golang.org/x/net:v0.0.0-20200822124328-c89045814202	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams[...]

To resolve this, we recommend the following approach:

Install trivy (https://aquasecurity.github.io/trivy)
Scan the current version of the image using a command like trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
Validate that the CVEs are detected using trivy. The provided scans were taken using a different scanner (ECR), so the first step should be to validate that trivy can see them as well.
Iterate to resolve the vulnerabilities. trivy enables you to scan the image without pushing them, so it should help in finding the resolution
Test and publish the fix version, and let us know where we can find the fixed image(s) so we can validate the fixes on our side as well.

Note that we disregard the severity levels assigned by various tools and operate soley on CVSS in line with NIST guidelines. Also note that this scan was performed by ECR, so the results will likely be different. It is in our experience that Trivy produces more results than ECR or Prisma.

Image

I noticed several vulnerabilities showing up attributed to Wave in downstream projects, and built the following simple Dockerfile that I could use to perform scanning:

FROM python:3.12-slim AS BUILD

RUN useradd -rm -d /home/wave -s /bin/bash -g root -G sudo -u 1001 wave
USER wave
WORKDIR /home/wave
RUN python -m venv venv
COPY requirements.txt .
RUN venv/bin/pip install -r requirements.txt

FROM gcr.io/distroless/static AS runtime

COPY --from=BUILD /home/wave /home/wave

requirements.txt:

h2o-wave

The listed Vulnerabilities are picked up in the waved binary at /home/wave/venv/waved

The output of the pip install is as follows:

#12 [build 6/6] RUN venv/bin/pip install -r requirements.txt
#12 1.112 Collecting h2o-wave (from -r requirements.txt (line 2))
#12 1.315   Downloading h2o_wave-1.1.1-py3-none-manylinux1_x86_64.whl.metadata (2.9 kB)
#12 1.425 Collecting click (from h2o-wave->-r requirements.txt (line 2))
#12 1.475   Downloading click-8.1.7-py3-none-any.whl.metadata (3.0 kB)
#12 1.593 Collecting httpx>=0.16.1 (from h2o-wave->-r requirements.txt (line 2))
#12 1.651   Downloading httpx-0.27.0-py3-none-any.whl.metadata (7.2 kB)
#12 1.958 Collecting inquirer (from h2o-wave->-r requirements.txt (line 2))
#12 2.015   Downloading inquirer-3.2.4-py3-none-any.whl.metadata (6.8 kB)
#12 2.188 Collecting starlette>=0.13.8 (from h2o-wave->-r requirements.txt (line 2))
#12 2.235   Downloading starlette-0.37.2-py3-none-any.whl.metadata (5.9 kB)
#12 2.394 Collecting uvicorn>=0.17.6 (from h2o-wave->-r requirements.txt (line 2))
#12 2.443   Downloading uvicorn-0.29.0-py3-none-any.whl.metadata (6.3 kB)
#12 2.558 Collecting anyio (from httpx>=0.16.1->h2o-wave->-r requirements.txt (line 2))
#12 2.607   Downloading anyio-4.3.0-py3-none-any.whl.metadata (4.6 kB)
#12 2.724 Collecting certifi (from httpx>=0.16.1->h2o-wave->-r requirements.txt (line 2))
#12 2.783   Downloading certifi-2024.2.2-py3-none-any.whl.metadata (2.2 kB)
#12 2.913 Collecting httpcore==1.* (from httpx>=0.16.1->h2o-wave->-r requirements.txt (line 2))
#12 2.979   Downloading httpcore-1.0.4-py3-none-any.whl.metadata (20 kB)
#12 3.079 Collecting idna (from httpx>=0.16.1->h2o-wave->-r requirements.txt (line 2))
#12 3.134   Downloading idna-3.6-py3-none-any.whl.metadata (9.9 kB)
#12 3.207 Collecting sniffio (from httpx>=0.16.1->h2o-wave->-r requirements.txt (line 2))
#12 3.263   Downloading sniffio-1.3.1-py3-none-any.whl.metadata (3.9 kB)
#12 3.345 Collecting h11<0.15,>=0.13 (from httpcore==1.*->httpx>=0.16.1->h2o-wave->-r requirements.txt (line 2))
#12 3.407   Downloading h11-0.14.0-py3-none-any.whl.metadata (8.2 kB)
#12 3.534 Collecting blessed>=1.19.0 (from inquirer->h2o-wave->-r requirements.txt (line 2))
#12 3.591   Downloading blessed-1.20.0-py2.py3-none-any.whl.metadata (13 kB)
#12 3.707 Collecting editor>=1.6.0 (from inquirer->h2o-wave->-r requirements.txt (line 2))
#12 3.755   Downloading editor-1.6.6-py3-none-any.whl.metadata (2.3 kB)
#12 4.229 Collecting readchar>=3.0.6 (from inquirer->h2o-wave->-r requirements.txt (line 2))
#12 4.302   Downloading readchar-4.0.6-py3-none-any.whl.metadata (6.2 kB)
#12 4.493 Collecting wcwidth>=0.1.4 (from blessed>=1.19.0->inquirer->h2o-wave->-r requirements.txt (line 2))
#12 4.562   Downloading wcwidth-0.2.13-py2.py3-none-any.whl.metadata (14 kB)
#12 4.679 Collecting six>=1.9.0 (from blessed>=1.19.0->inquirer->h2o-wave->-r requirements.txt (line 2))
#12 4.742   Downloading six-1.16.0-py2.py3-none-any.whl.metadata (1.8 kB)
#12 4.844 Collecting runs (from editor>=1.6.0->inquirer->h2o-wave->-r requirements.txt (line 2))
#12 4.910   Downloading runs-1.2.2-py3-none-any.whl.metadata (10 kB)
#12 5.032 Collecting xmod (from editor>=1.6.0->inquirer->h2o-wave->-r requirements.txt (line 2))
#12 5.082   Downloading xmod-1.8.1-py3-none-any.whl.metadata (1.8 kB)
#12 5.718 Collecting setuptools>=41.0 (from readchar>=3.0.6->inquirer->h2o-wave->-r requirements.txt (line 2))
#12 5.779   Downloading setuptools-69.2.0-py3-none-any.whl.metadata (6.3 kB)
#12 5.914 Downloading h2o_wave-1.1.1-py3-none-manylinux1_x86_64.whl (12.1 MB)
#12 12.34    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 12.1/12.1 MB 1.9 MB/s eta 0:00:00
#12 12.39 Downloading httpx-0.27.0-py3-none-any.whl (75 kB)
#12 12.50    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 75.6/75.6 kB 700.9 kB/s eta 0:00:00
#12 12.55 Downloading httpcore-1.0.4-py3-none-any.whl (77 kB)
#12 12.66    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.8/77.8 kB 694.6 kB/s eta 0:00:00
#12 12.72 Downloading starlette-0.37.2-py3-none-any.whl (71 kB)
#12 12.81    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 71.9/71.9 kB 756.8 kB/s eta 0:00:00
#12 12.87 Downloading uvicorn-0.29.0-py3-none-any.whl (60 kB)
#12 12.96    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 60.8/60.8 kB 690.9 kB/s eta 0:00:00
#12 13.14 Downloading click-8.1.7-py3-none-any.whl (97 kB)
#12 13.22    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 97.9/97.9 kB 1.2 MB/s eta 0:00:00
#12 13.27 Downloading inquirer-3.2.4-py3-none-any.whl (18 kB)
#12 13.36 Downloading anyio-4.3.0-py3-none-any.whl (85 kB)
#12 13.64    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 85.6/85.6 kB 287.8 kB/s eta 0:00:00
#12 13.70 Downloading blessed-1.20.0-py2.py3-none-any.whl (58 kB)
#12 13.90    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.4/58.4 kB 330.7 kB/s eta 0:00:00
#12 13.95 Downloading editor-1.6.6-py3-none-any.whl (4.0 kB)
#12 14.02 Downloading h11-0.14.0-py3-none-any.whl (58 kB)
#12 14.18    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.3/58.3 kB 396.3 kB/s eta 0:00:00
#12 14.22 Downloading idna-3.6-py3-none-any.whl (61 kB)
#12 14.35    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.6/61.6 kB 506.4 kB/s eta 0:00:00
#12 14.40 Downloading readchar-4.0.6-py3-none-any.whl (8.5 kB)
#12 14.48 Downloading sniffio-1.3.1-py3-none-any.whl (10 kB)
#12 14.57 Downloading certifi-2024.2.2-py3-none-any.whl (163 kB)
#12 14.93    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 163.8/163.8 kB 444.5 kB/s eta 0:00:00
#12 15.00 Downloading setuptools-69.2.0-py3-none-any.whl (821 kB)
#12 17.31    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 821.5/821.5 kB 368.4 kB/s eta 0:00:00
#12 17.36 Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
#12 17.42 Downloading wcwidth-0.2.13-py2.py3-none-any.whl (34 kB)
#12 17.52 Downloading runs-1.2.2-py3-none-any.whl (7.0 kB)
#12 17.58 Downloading xmod-1.8.1-py3-none-any.whl (4.6 kB)
#12 17.70 Installing collected packages: wcwidth, xmod, sniffio, six, setuptools, idna, h11, click, certifi, uvicorn, runs, readchar, httpcore, blessed, anyio, starlette, httpx, editor, inquirer, h2o-wave
#12 19.11 Successfully installed anyio-4.3.0 blessed-1.20.0 certifi-2024.2.2 click-8.1.7 editor-1.6.6 h11-0.14.0 h2o-wave-1.1.1 httpcore-1.0.4 httpx-0.27.0 idna-3.6 inquirer-3.2.4 readchar-4.0.6 runs-1.2.2 setuptools-69.2.0 six-1.16.0 sniffio-1.3.1 starlette-0.37.2 uvicorn-0.29.0 wcwidth-0.2.13 xmod-1.8.1

h2oai / wave

Resolve High Severity Vulnerabilities #2294

Image