SNOW-1333232 High Severity DoS CVE in introduced - github.com/hambra/avro

[ChronosMasterOfAllTime]

Please answer these questions before submitting your issue. In order to accurately debug the issue this information is required. Thanks!

1. What version of GO driver are you using? 1.9

2. What operating system and processor architecture are you using? MacOS x86_64

3. What version of GO are you using? 1.22 run go version in your console

4.Server version: N/A

5. What did you do?

Upgraded to v1.9 of the Snowflake driver. Apache Arrow v15.0.0 is using a version of the github.com/hambra/avro that introduces a DoS exploit. This is fixed in the latest version of Apache Arrow

See Snyk issue

Fixed in v16.0.0 of Apache Arrow go.mod

6. What did you expect to see?

   No High CVE exploits

7. Can you set logging to DEBUG and collect the logs?

   https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors

8. What is your Snowflake account identifier, if any? databots

[sfc-gh-dszmolka]

hi and thank you for drawing attention to this issue and also for the PR ! can we please wait for Arrow v16 to be available?

also the linked Snyk issue leads to CVE-2023-37475, which per NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2023-37475 is fixed in github.com/hambra/avro 2.13.0 and up.

Apache Arrow v15 depends on hamba/avro v.2.17.2 which per the above NVD is not vulnerable.

Is this the right CVE number ?

[ChronosMasterOfAllTime]

@sfc-gh-dszmolka We can wait if you're more comfortable with an official release

This commit fixed the DoS which was released in hamba/avro v2.19.0.

From Snyk

[ChronosMasterOfAllTime]

Good catch though; I brought this up with the Snyk team as a potential false positive. Will report back here

[sfc-gh-dszmolka]

Thanks for the additional details, indeed Arrow seems to have bumped the hamba/avro to past 2.19 (2.20.1) in the latest (yet unreleased) code.

Of course the team will review your PR but from what I saw we usually prefer depending on official released code. Good to have this on the table though, so really appreciate !

[sfc-gh-dszmolka]

@ChronosMasterOfAllTime Arrow v16 looks to be released now, can you please modify your PR to have the official released v16.0.0 ?

[sfc-gh-dszmolka]

thank you for modifying it to v16; let's await for the PR review.

[sfc-gh-dszmolka]

A quick update: we cannot just simply merge the PR. Reason being (as you might have noticed from the tests) , all tests are for this PR failing for go1.19 as Arrow v16 would need go1.20 at least.

Until Snowflake drops support for go1.19, we cannot merge this PR or else it would break the driver for everyone on go1.19 currently. Likely we would also require a new major version released from the driver.

So we must take appropriate care.

This is to set expectations why this 'simple' Arrow version bump won't be very very quickly merged.

Also on the side note, the question is still open: can you perhaps please advise what is the actual 'High Severity DoS CVE' / vulnerability which is there in Arrow v15.0.2 and supposed to be addressed in Arrow v16 ?

It is likely not the one linked to this issue originally:

• Snyk: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHAMBAAVRO-5777730
• cve.org CVE-2023-37475
• GH advisory: https://github.com/advisories/GHSA-9x44-9pgq-cf45

because it is addressed in avro 2.13 and arrow v15 on which we are already depends on avro 2.17 which is not vulnerable to this CVE. Clarification is really appreciated !

[ChronosMasterOfAllTime]

We reached out to Snyk support on this as well. Turns out the DB was never updated for this entry. We can table this for now.

[sfc-gh-dszmolka]

Thank you for following up with Snyk and the feedback - as there's no vulnerability, closing the issue for now. The bump to Arrow v16 will still happen though, eventually.