Cadence is a distributed, scalable, durable, and highly available orchestration engine to execute asynchronous long-running business logic in a scalable and resilient way.
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
Server version: v1.2.10
Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.10
To Reproduce
Is the issue reproducible?
Yes
Steps to reproduce the behavior:
Pull the latest image ubercadence/server:v1.2.10 from Dockerhub
Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.10 sha256:84f2c2191582f7421bb0db739c643ec8a24def8ff624d5fc2d3e0b164b6d85ed
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397 | high | 8.80 | github.com/apache/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0 | > 6 years | < 1 hour | The Apache Thrift Go client library exposed the |
| | | | | | > 10 months ago | | | potential during code generation for command |
| | | | | | | | | injection due to using an external formatting |
| | | | | | | | | tool. Affec... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 4 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 4 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all |
| | | | | | > 1 years ago | | | versions is vulnerable to denial of service. |
| | | | | | | | | Logging more than 64kb of data in a single entry |
| | | | | | | | | without new... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 5 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r6 | > 6 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | 33 days ago | | | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 6 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r7 | > 6 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | 8 days ago | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 6 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r7 | > 6 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | 8 days ago | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 6 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r7 | > 6 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | 8 days ago | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 6 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | > 3 months | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | > 3 months ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | > 3 months | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | > 3 months ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | 77 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 77 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-4603 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.5-r0 | 35 days | < 1 hour | Issue summary: Checking excessively long DSA |
| | | | | | 31 days ago | | | keys or parameters may be very slow. Impact |
| | | | | | | | | summary: Applications that use the functions |
| | | | | | | | | EVP_PKEY_param_... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | 73 days | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 72 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.10: total - 17, critical - 0, high - 2, medium - 13, low - 2
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.10: total - 2, critical - 0, high - 2, medium - 0, low - 0
**Expected behavior**
No more CVEs found.
**Screenshots**
<img width="921" alt="image" src="https://github.com/uber/cadence/assets/18463816/413fb21b-f002-40b5-b310-1d8bb474fa7a">
**Additional context**
Add any other context about the problem here, E.g. Stackstace, workflow history.
Version of Cadence server, and client(which language) This is very important to root cause bugs.
v1.2.10Describe the bug There are a lot of CVEs found from the latest Cadence image:
ubercadence/server:v1.2.10To Reproduce Is the issue reproducible?
Steps to reproduce the behavior:
ubercadence/server:v1.2.10from DockerhubVulnerabilities found for image ubercadence/server:v1.2.10: total - 17, critical - 0, high - 2, medium - 13, low - 2 Vulnerability threshold check results: PASS
Compliance Issues +----------+------------------------------------------------------------------------+ | SEVERITY | DESCRIPTION | +----------+------------------------------------------------------------------------+ | high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user | +----------+------------------------------------------------------------------------+ | high | Private keys stored in image | +----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.10: total - 2, critical - 0, high - 2, medium - 0, low - 0