Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the latest Temporal server release 1.23.0 #5740

Open
sonpham96 opened this issue Apr 17, 2024 · 0 comments
Open

Addressing a lot of security vulnerabilities in the latest Temporal server release 1.23.0 #5740

sonpham96 opened this issue Apr 17, 2024 · 0 comments
Labels
potential-bug

Comments

@sonpham96
Copy link

Expected Behavior

There is no CVE found in the temporalio/server image.

Actual Behavior

There are 27 vulnerabilities found for image temporalio/server:1.23.0, including 5 high, 19 medium and 3 low CVEs.

Scan results:

Scan results for: image temporalio/server:1.23.0 sha256:5ace4dfce78a30f760d9a0550dceef17e47fac11374e83d85a2762cde767ea41
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                                   PACKAGE                                   |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325   | high     | 7.50 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | A malicious HTTP/2 client which rapidly creates    |
|                  |          |      |                                                                             |                                       | 51 days ago                     |            |            | requests and immediately resets them can cause     |
|                  |          |      |                                                                             |                                       |                                 |            |            | excessive server resource consumption. While the   |
|                  |          |      |                                                                             |                                       |                                 |            |            | total ...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | google.golang.org/grpc                                                      | v1.53.0                               | fixed in 1.58.3, 1.57.1, 1.56.3 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                                                  | v1.9.0                                | fixed in v1.9.3                 | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                                             |                                       |                                 |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                                             |                                       |                                 |            |            | without new...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                                                        | 1.3.1-r0                              |                                 | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                                             |                                       |                                 |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                                             |                                       |                                 |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                                             |                                       |                                 |            |            | (deflate.c)...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                                             |                                       |                                 |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | awk.c copyvar function.                            |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                                             |                                       |                                 |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                                             |                                       |                                 |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                                             |                                       |                                 |            |            | funct...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                                             |                                       |                                 |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435    | moderate | 4.30 | github.com/temporalio/ui-server/v2                                          | v2.21.3                               | fixed in 2.25.0                 | 14 days    | < 1 hour   | For an attacker with pre-existing access to send   |
|                  |          |      |                                                                             |                                       | 14 days ago                     |            |            | a signal to a workflow, the attacker can make the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | signal name a script that executes when a victim   |
|                  |          |      |                                                                             |                                       |                                 |            |            | vi...                                              |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180   | moderate | 0.00 | gopkg.in/square/go-jose.v2                                                  | v2.6.0                                | fixed in                        | 39 days    | < 1 hour   | Package jose aims to provide an implementation     |
|                  |          |      |                                                                             |                                       | 32 days ago                     |            |            | of the Javascript Object Signing and Encryption    |
|                  |          |      |                                                                             |                                       |                                 |            |            | set of standards. An attacker could send a JWE     |
|                  |          |      |                                                                             |                                       |                                 |            |            | containi...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize                                   | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3                                            | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn                                              | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.22.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | net/http                                                                    | 1.22.1                                | fixed in 1.21.9, 1.22.2         | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.18.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.00 | go.temporal.io/server                                                       | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 9 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                                                                             |                                       | > 9 months ago                  |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                                                                             |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                                                                             |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629   | low      | 0.00 | c-ares                                                                      | 1.24.0-r1                             | fixed in 1.27.0-r0              | 53 days    | < 1 hour   | c-ares is a C library for asynchronous DNS         |
|                  |          |      |                                                                             |                                       | 22 days ago                     |            |            | requests. `ares__read_line()` is used to           |
|                  |          |      |                                                                             |                                       |                                 |            |            | parse local configuration files such as            |
|                  |          |      |                                                                             |                                       |                                 |            |            | `/etc/resolv.conf`, `/etc/...                      |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                                                     | 3.1.4-r5                              | fixed in 3.1.4-r6               | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                                             |                                       | 7 days ago                      |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                                             |                                       |                                 |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                                             |                                       |                                 |            |            | An attac...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/server:1.23.0: total - 27, critical - 0, high - 5, medium - 19, low - 3
Vulnerability threshold check results: PASS

Compliance found for image temporalio/server:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS

Steps to Reproduce the Problem

  1. Pull the latest image temporalio/server:1.23.0 from Dockerhub
  2. Scan the image with any vulnerability scanner

Specifications

  • Version: 1.23.0
  • Platform: N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
potential-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sonpham96