Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the latest Temporal admin-tools release 1.23.0 #5741

Open
sonpham96 opened this issue Apr 17, 2024 · 6 comments
Open

Addressing a lot of security vulnerabilities in the latest Temporal admin-tools release 1.23.0 #5741

sonpham96 opened this issue Apr 17, 2024 · 6 comments
Assignees
@alexshtin
Labels
potential-bug

Comments

@sonpham96
Copy link

Expected Behavior

There is no CVE found in the temporalio/admin-tools image.

Actual Behavior

There are 30 vulnerabilities found for image temporalio/admin-tools:1.23.0, including 7 high, 20 medium and 3 low CVEs.

Scan results:

Scan results for: image temporalio/admin-tools:1.23.0 sha256:eea33c3a95cb7a67f4b10020f04f5fbd9ef4ead7e02c0945ba3e39b5cac30dfd
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                                   PACKAGE                                   |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2022-0168 | high     | 7.80 | pip                                                                         | 24.0                                  | open                            | > 1 years  | < 1 hour   | An issue was discovered in pip (all versions)      |
|                  |          |      |                                                                             |                                       |                                 |            |            | because it installs the version with the highest   |
|                  |          |      |                                                                             |                                       |                                 |            |            | version number, even if the user had intended to   |
|                  |          |      |                                                                             |                                       |                                 |            |            | obtain...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325   | high     | 7.50 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | A malicious HTTP/2 client which rapidly creates    |
|                  |          |      |                                                                             |                                       | 52 days ago                     |            |            | requests and immediately resets them can cause     |
|                  |          |      |                                                                             |                                       |                                 |            |            | excessive server resource consumption. While the   |
|                  |          |      |                                                                             |                                       |                                 |            |            | total ...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.15.0                               | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | google.golang.org/grpc                                                      | v1.53.0                               | fixed in 1.58.3, 1.57.1, 1.56.3 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                                                  | v1.9.0                                | fixed in v1.9.3                 | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                                             |                                       |                                 |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                                             |                                       |                                 |            |            | without new...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2022-40897   | medium   | 5.90 | setuptools                                                                  | 65.5.0                                | fixed in 65.5.1                 | > 1 years  | < 1 hour   | Python Packaging Authority (PyPA) setuptools       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | before 65.5.1 allows remote attackers to cause a   |
|                  |          |      |                                                                             |                                       |                                 |            |            | denial of service via HTML in a crafted package or |
|                  |          |      |                                                                             |                                       |                                 |            |            | custo...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                                                        | 1.3.1-r0                              |                                 | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                                             |                                       |                                 |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                                             |                                       |                                 |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                                             |                                       |                                 |            |            | (deflate.c)...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                                             |                                       |                                 |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | awk.c copyvar function.                            |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                                             |                                       |                                 |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                                             |                                       |                                 |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                                             |                                       |                                 |            |            | funct...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                                             |                                       |                                 |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435    | moderate | 4.30 | github.com/temporalio/ui-server/v2                                          | v2.21.3                               | fixed in 2.25.0                 | 14 days    | < 1 hour   | For an attacker with pre-existing access to send   |
|                  |          |      |                                                                             |                                       | 14 days ago                     |            |            | a signal to a workflow, the attacker can make the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | signal name a script that executes when a victim   |
|                  |          |      |                                                                             |                                       |                                 |            |            | vi...                                              |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180   | moderate | 0.00 | gopkg.in/square/go-jose.v2                                                  | v2.6.0                                | fixed in                        | 39 days    | < 1 hour   | Package jose aims to provide an implementation     |
|                  |          |      |                                                                             |                                       | 32 days ago                     |            |            | of the Javascript Object Signing and Encryption    |
|                  |          |      |                                                                             |                                       |                                 |            |            | set of standards. An attacker could send a JWE     |
|                  |          |      |                                                                             |                                       |                                 |            |            | containi...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize                                   | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn                                              | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3                                            | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.22.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.18.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | net/http                                                                    | 1.22.1                                | fixed in 1.21.9, 1.22.2         | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.00 | go.temporal.io/server                                                       | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 9 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                                                                             |                                       | > 9 months ago                  |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                                                                             |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                                                                             |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629   | low      | 0.00 | c-ares                                                                      | 1.24.0-r1                             | fixed in 1.27.0-r0              | 53 days    | < 1 hour   | c-ares is a C library for asynchronous DNS         |
|                  |          |      |                                                                             |                                       | 22 days ago                     |            |            | requests. `ares__read_line()` is used to           |
|                  |          |      |                                                                             |                                       |                                 |            |            | parse local configuration files such as            |
|                  |          |      |                                                                             |                                       |                                 |            |            | `/etc/resolv.conf`, `/etc/...                      |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                                                     | 3.1.4-r5                              | fixed in 3.1.4-r6               | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                                             |                                       | 7 days ago                      |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                                             |                                       |                                 |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                                             |                                       |                                 |            |            | An attac...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/admin-tools:1.23.0: total - 30, critical - 0, high - 7, medium - 20, low - 3
Vulnerability threshold check results: PASS

Compliance found for image temporalio/admin-tools:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS

Steps to Reproduce the Problem

  1. Pull the latest image temporalio/admin-tools:1.23.0 from Dockerhub
  2. Scan the image with any vulnerability scanner

Specifications

  • Version: 1.23.0
  • Platform: N/A
@sonpham96
Copy link
Author

sonpham96 commented May 2, 2024
edited

@yycptt @yiminc, from what I found the CVEs originate from the outdated dependencies in tctl which is included in the temporal server image (config) image and admin-tools image (config). I believe upgrading the versions in tctl's go.mod would resolve this issue and #5740.

@yycptt
Copy link
Member

yycptt commented May 2, 2024
edited

tctl has already been deprecated and no longer being maintained.
The binary is included in both server and admin-tools images but are not actually being used in any way.

In the next release (1.24.0) which is coming soon, tctl will be removed from both images.

@yycptt
Copy link
Member

yycptt commented May 2, 2024

Update: Team is still discussing if tctl should be removed from the next release. If not, we will update the dependencies in it to address security vulnerabilities.

@hansliu
Copy link

hansliu commented May 15, 2024
edited

We are also seeing these security vulnerabilities after deploying 1.23.0 via DockerHub, could I know any updates on this?

@yiminc yiminc assigned josh-berry and unassigned yycptt May 15, 2024
josh-berry added a commit to temporalio/tctl that referenced this issue May 17, 2024
@josh-berry
Bump a few dependencies to address security concerns
b23d94b 
See temporalio/temporal#5741 .
@josh-berry josh-berry mentioned this issue May 17, 2024
Merged
josh-berry added a commit to temporalio/tctl that referenced this issue May 17, 2024
@josh-berry
Bump a few dependencies to address security concerns (#373)
1014c59 
See temporalio/temporal#5741 .
@josh-berry
Copy link

So, many of these (pip, busybox, the various Postgres modules) have nothing to do with tctl, and tctl does not depend on them directly or indirectly. @yiminc For those I would still ask the server team to take a look.

For the remaining tctl issues, I've merged a fix which addresses all the relevant vulnerabilities—note that security scanning tools may still find vulnerabilities in code that happens to be linked in but is not used. (For example, I see that it's complaining about the HTTP library, because there's a server-side issue—but tctl does not contain an HTTP server.)

Will try to get a release out in a bit for server folks to pick up.

@josh-berry
Copy link

tctl 1.18.1 will be available shortly; passing back to @alexshtin for the server side things.

@josh-berry josh-berry assigned alexshtin and unassigned josh-berry May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexshtin alexshtin

Labels
potential-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@josh-berry @alexshtin @hansliu @yycptt @sonpham96