Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: CVE-2024-24790 #31913

Closed
1 of 16 tasks
kauabh opened this issue Jul 17, 2024 · 2 comments
Closed
1 of 16 tasks

[Bug]: CVE-2024-24790 #31913

kauabh opened this issue Jul 17, 2024 · 2 comments
Assignees
@lostluck
Labels
bug P2 python
Milestone
2.59.0 Release

Comments

@kauabh
Copy link

kauabh commented Jul 17, 2024

What happened?

Hi, We are in process of deploying custom dataflow jobs using apache/beam_python3.10_sdk but seems like it has a critical vulnerability CVE-2024-24790.

Seems like there are already PR around it but they are closed/no activity, wanted to know if there is any eta on this.
#31526
#31586

Issue Priority

Priority: 0 (outage / urgent vulnerability)

Issue Components

  • Component: Python SDK
  • Component: Java SDK
  • Component: Go SDK
  • Component: Typescript SDK
  • Component: IO connector
  • Component: Beam YAML
  • Component: Beam examples
  • Component: Beam playground
  • Component: Beam katas
  • Component: Website
  • Component: Spark Runner
  • Component: Flink Runner
  • Component: Samza Runner
  • Component: Twister2 Runner
  • Component: Hazelcast Jet Runner
  • Component: Google Cloud Dataflow Runner
@damccorm
Copy link
Contributor

Hey @kaushikabhishek87 this should be fixed as part of the next release process (2.59.0). We bump our go version as part of our release process to pick up the latest changes (based on https://go.dev/doc/devel/release).

Note that this shouldn't really impact Beam Python since the underlying go logic is just starting the Python executable, and I don't believe we make use of these methods.

Passing to @lostluck to resolve once we release 2.59.0 (or at least the version bump is in)

Seems like there are already PR around it but they are closed/no activity, wanted to know if there is any eta on this.

Note that these don't actually address the underlying issue which requires a go version bump.

@lostluck
Copy link
Contributor

This will be fixed with the 2.58 release currently in validation.

The CVE was fixed as part of the Go 1.22.4 release and the Beam 2.58 release binaries are using Go 1.22.5. See https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ

The go version for the boot loaders were updated in #31812 which is part of the release.

The other linked issues are unrelated depreciated docker package issues that do not affect the SDK bootloaders. The docker package isn't well behaved and constantly makes breaking changes in minor versions. But as it's merely calling out to the local docker daemon the risks are much lower. Again, docker is not used on the SDK boot path. It's used in this instance by the prism runner for local use.

I'm going to close this issue as a result of the above, but thank you for the report!

@github-actions github-actions bot added this to the 2.59.0 Release milestone Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lostluck lostluck

Labels
bug P2 python
Projects
None yet
Milestone
2.59.0 Release
Development

No branches or pull requests
3 participants
@lostluck @damccorm @kauabh