Resolve Vulnerabilities in Wave Tour Image

[codyharris-h2o-ai]

Hello! As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.

The following vulnerabilities were scanned and found by using ECR. ECR scans are used in conjunction with Prisma scans to ensure we meet a high standard for software security. We have suggestions on tooling to help improve the remediation process, following the vulnerability table below. Note that we disregard the severity levels assigned by various tools and operate soley on CVSS to severity mapping in line with NIST guidelines.

Vulnerability	Severity	Image	Package	Description
CVE-2023-28531	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	openssh:9.2p1	ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earlies[...]
CVE-2020-29652	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remo[...]
CVE-2021-33194	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via cra[...]
CVE-2021-3610	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	imagemagick:6.9.11.60+dfsg	A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/[...]
CVE-2021-43565	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH serv[...]
CVE-2022-27191	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in cert[...]
CVE-2022-27664	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection c[...]
CVE-2022-41723	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of [...]
CVE-2023-27103	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	libde265:1.0.11	Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc[...]
CVE-2023-39325	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consump[...]
CVE-2023-43887	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	libde265:1.0.11	Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the[...]
CVE-2023-44487	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	golang.org/x/net nghttp2:v0.0.0-20200822124328-c89045814202 1.52.0	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams[...]
CVE-2023-47038	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	perl:5.36.0	A vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an a[...]
CVE-2023-4863	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	opencv-python:4.5.5.64	Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform [...]
CVE-2023-49465	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	libde265:1.0.11	Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction fun[...]
CVE-2023-49467	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	libde265:1.0.11	Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_cand[...]
CVE-2023-49468	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	libde265:1.0.11	Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.
CVE-2023-50471	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0	cjson:1.7.15	cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.

grep: (standard input): binary file matches | CVE-2023-52425 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | expat:2.5.0 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case o[...] | | CVE-2023-6246 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | glibc:2.36 | A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the s[...] | | CVE-2023-6569 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | h2o:3.44.0.3 | External Control of File Name or Path in h2oai/h2o-3 | | CVE-2023-6779 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | glibc:2.36 | An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is cal[...] | | CVE-2024-0553 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | gnutls28:3.7.9 | A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the re[...] | | CVE-2024-0565 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | linux:6.1.55 | An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-compo[...] | | CVE-2024-0567 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | gnutls28:3.7.9 | A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. Thi[...] | | CVE-2024-0985 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | postgresql-15:15.5 | Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL fu[...] | | CVE-2024-21634 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | software.amazon.ion:ion-java:1.0.2 | Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exist[...] |

To resolve this, we recommend the following approach:

1. Install trivy (https://aquasecurity.github.io/trivy)
2. Scan the current version of the image using a command like trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
3. Validate that the CVEs are detected using trivy. The provided scans were taken using a different scanner (ECR), so the first step should be to validate that trivy can see them as well.
4. Iterate to resolve the vulnerabilities. trivy enables you to scan the image without pushing them, so it should help in finding the resolution
5. Test and publish the fix version, and let us know where we can find the fixed image(s) so we can validate the fixes on our side as well.

[mturoci]

Closed by https://github.com/h2oai/wave/pull/2302