Fix all HIGH security vulnerabilities in Wave SDK

dulajra commented 2 weeks ago

Wave SDK Version, OS

1.3.1

Actual behavior

The following HIGH security vulnerability is present in the latest Wave version.

mlops-wave/venv/waved (gobinary)
================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.22.1            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
│         ├────────────────┤          │        │                   ├────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │          │        │                   │ 1.22.3         │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘

Expected behavior

0 HIGH and CRITICAL vulnerabilities.

jakubhava commented 2 weeks ago

This is full report on waved

mlops-wave/venv/waved (gobinary)
================================
Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │  Fixed Version  │                            Title                            │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net           │ CVE-2023-45288 │ MEDIUM   │ fixed    │ v0.22.0           │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of          │
│                            │                │          │          │                   │                 │ CONTINUATION frames causes DoS                              │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
├────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │          │ affected │ v2.6.0            │                 │ jose-go: improper handling of highly compressed data        │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-28180                  │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2023-45288 │ HIGH     │ fixed    │ 1.22.1            │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of          │
│                            │                │          │          │                   │                 │ CONTINUATION frames causes DoS                              │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                            ├────────────────┤          │          │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24788 │          │          │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop  │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                  │
│                            ├────────────────┼──────────┤          │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24789 │ UNKNOWN  │          │                   │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of      │
│                            │                │          │          │                   │                 │ invalid zip fil ......                                      │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                  │
│                            ├────────────────┤          │          │                   │                 ├─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24790 │          │          │                   │                 │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│                            │                │          │          │                   │                 │ work as ex...                                               │
│                            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

More we can fix the better

mturoci commented 2 weeks ago

Fixed in https://github.com/h2oai/wave/commit/a90b902d4e153fc9eddc4ef7fe0ee5b0ad58b75b.

Bumped Go to 1.22.4 which should mitigate all the CVEs mentioned above. If not, let me know.

mturoci commented 2 weeks ago

Edit: Didn't notice your comment @jakubhava.

gopkg.in/square/go-jose.v2

Has no fix atm if I read it correctly.

golang.org/x/net

Will bump and cut one more release.

jakubhava commented 2 weeks ago

Thanks a lot @mturoci.

h2oai / wave