search

uber / cadence

Cadence is a distributed, scalable, durable, and highly available orchestration engine to execute asynchronous long-running business logic in a scalable and resilient way.
https://cadenceworkflow.io
MIT License
8.16k stars 787 forks source link

Addressing a lot of security vulnerabilities in the Cadence release v1.2.8 #5913

Closed sonpham96 closed 2 weeks ago

sonpham96 commented 4 months ago

Version of Cadence server, and client(which language) This is very important to root cause bugs.

Describe the bug There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.8

To Reproduce Is the issue reproducible?

Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Scan results for: image ubercadence/server:v1.2.8 sha256:2cb358a5152e7c4d1ac57f214450c90de2834fd1df576c909f7f0350089891ca
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |      STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397    | high     | 8.80 | github.com/apache/thrift                          | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0   | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                  |          |      |                                                   |                                    | > 8 months ago    |            |            | potential during code generation for command       |
|                  |          |      |                                                   |                                    |                   |            |            | injection due to using an external formatting      |
|                  |          |      |                                                   |                                    |                   |            |            | tool. Affec...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0   | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                                   |                                    | > 4 years ago     |            |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                                   |                                    |                   |            |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                                   |                                    |                   |            |            | invalid input data.                                |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0190    | high     | 7.50 | openssl                                           | 3.1.4-r5                           |                   | > 5 years  | < 1 hour   | A bug exists in the way mod_ssl handled client     |
|                  |          |      |                                                   |                                    |                   |            |            | renegotiations. A remote attacker could send a     |
|                  |          |      |                                                   |                                    |                   |            |            | carefully crafted request that would cause mod_ssl |
|                  |          |      |                                                   |                                    |                   |            |            | to en...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                        | v1.9.0                             | fixed in v1.9.3   | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                   |                                    | > 1 years ago     |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                   |                                    |                   |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                   |                                    |                   |            |            | without new...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                   | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                   |                                    |                   |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                   |                                    |                   |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                   |                                    |                   |            |            | (deflate.c)...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    |                   |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    |                   |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                   |            |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    |                   |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                   |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                   |            |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1                             |                   | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    |                   |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                   |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0   | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | 42 days ago       |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                   |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                   |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0   | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | 42 days ago       |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                   |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                   |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0   | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                   |                                    | 12 days ago       |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                   |                                    |                   |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                   |                                    |                   |            |            | Maintaining H...                                   |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.4-r6 | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                   |                                    | 7 days ago        |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                   |                                    |                   |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                   |                                    |                   |            |            | An attac...                                        |
+------------------+----------+------+---------------------------------------------------+------------------------------------+-------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.8: total - 13, critical - 0, high - 3, medium - 9, low - 1
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.8: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS

Screenshots Scan results:

image

Additional context Add any other context about the problem here, E.g. Stackstace, workflow history.

sonpham96 commented 3 months ago

There are still a lot of security vulnerabilities in Cadence v1.2.9 release. Scan results:

Scan results for: image ubercadence/server:v1.2.9 sha256:91d5b52428fe2cc5bc18e940c0b73f6a758fa38790c1b62a7f7499d41084e716
Vulnerabilities
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |       STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397  | high     | 8.80 | github.com/apache/thrift                          | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0    | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                |          |      |                                                   |                                    | > 9 months ago     |            |            | potential during code generation for command       |
|                |          |      |                                                   |                                    |                    |            |            | injection due to using an external formatting      |
|                |          |      |                                                   |                                    |                    |            |            | tool. Affec...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210  | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0    | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                |          |      |                                                   |                                    | > 4 years ago      |            |            | implemented in Go using TJSONProtocol or           |
|                |          |      |                                                   |                                    |                    |            |            | TSimpleJSONProtocol may panic when feed with       |
|                |          |      |                                                   |                                    |                    |            |            | invalid input data.                                |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992  | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                    | > 4 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                |          |      |                                                   |                                    |                    |            |            | to be vulnerable to memory corruption issues       |
|                |          |      |                                                   |                                    |                    |            |            | affecting the deflation algorithm implementation   |
|                |          |      |                                                   |                                    |                    |            |            | (deflate.c)...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r6 | > 5 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                |          |      |                                                   |                                    | 1 days ago         |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                |          |      |                                                   |                                    |                    |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                |          |      |                                                   |                                    |                    |            |            | awk.c copyvar function.                            |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                |          |      |                                                   |                                    |                    |            |            | allows attackers to cause a denial of service      |
|                |          |      |                                                   |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                |          |      |                                                   |                                    |                    |            |            | funct...                                           |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 5 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                |          |      |                                                   |                                    |                    |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0    | 75 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                |          |      |                                                   |                                    | 75 days ago        |            |            | infinite loop when unmarshaling certain forms      |
|                |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0    | 75 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                |          |      |                                                   |                                    | 75 days ago        |            |            | infinite loop when unmarshaling certain forms      |
|                |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0    | 45 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                |          |      |                                                   |                                    | 45 days ago        |            |            | read arbitrary amounts of header data by sending   |
|                |          |      |                                                   |                                    |                    |            |            | an excessive number of CONTINUATION frames.        |
|                |          |      |                                                   |                                    |                    |            |            | Maintaining H...                                   |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511  | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.4-r6  | 41 days    | < 1 hour   | Issue summary: Some non-default TLS server         |
|                |          |      |                                                   |                                    | 40 days ago        |            |            | configurations can cause unbounded memory growth   |
|                |          |      |                                                   |                                    |                    |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                |          |      |                                                   |                                    |                    |            |            | An attac...                                        |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.9: total - 12, critical - 0, high - 2, medium - 9, low - 1
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.9: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS