Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the Temporalio/server release 1.25.2.0 #6976

Open
LauVietVan opened this issue Dec 12, 2024 · 0 comments
Open

Addressing a lot of security vulnerabilities in the Temporalio/server release 1.25.2.0 #6976

LauVietVan opened this issue Dec 12, 2024 · 0 comments
Labels
potential-bug

Comments

@LauVietVan
Copy link

Expected Behavior

No more CVEs found.

Actual Behavior

There are a lot of CVEs found from the latest Temporal image:
temporalio/server:1.25.2.0

Steps to Reproduce the Problem

  1. Pull the latest image temporalio/server:1.25.2.0 from Dockerhub
  2. Scan the image with any vulnerability scanner
Scan results for: image temporalio/server:1.25.2.0 sha256:efb68cf7ec1e22ccb1244d4e3f25561c8c71c56aa201d70387adb7e747cb85d3
Vulnerabilities
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
|       CVE        | SEVERITY | CVSS |           PACKAGE            |                VERSION                |             STATUS              |  PUBLISHED  | DISCOVERED |                          DESCRIPTION                          |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6197    | high     | 7.50 | curl                         | 8.5.0-r0                              | fixed in 8.9.0-r0               | > 4 months  | < 1 hour   | libcurl\'s ASN1 parser has this utf8asn1str()                 |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | function used for parsing an ASN.1 UTF-8 string.              |
|                  |          |      |                              |                                       |                                 |             |            | Itcan detect an invalid field and return error.               |
|                  |          |      |                              |                                       |                                 |             |            | Unfortu...                                                    |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-9681    | medium   | 6.50 | curl                         | 8.5.0-r0                              |                                 | 35 days     | < 1 hour   | When curl is asked to use HSTS, the expiry time               |
|                  |          |      |                              |                                       |                                 |             |            | for a subdomain might overwrite a parent domain\'s            |
|                  |          |      |                              |                                       |                                 |             |            | cache entry, making it end sooner or later than               |
|                  |          |      |                              |                                       |                                 |             |            | oth...                                                        |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus   | v1.4.2                                | fixed in v1.9.3                 | > 1 years   | < 1 hour   | The github.com/sirupsen/logrus module of all                  |
|                  |          |      |                              |                                       | > 1 years ago                   |             |            | versions is vulnerable to denial of service.                  |
|                  |          |      |                              |                                       |                                 |             |            | Logging more than 64kb of data in a single entry              |
|                  |          |      |                              |                                       |                                 |             |            | without new...                                                |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                         | 1.3.1-r0                              |                                 | > 11 months | < 1 hour   | Cloudflare version of zlib library was found                  |
|                  |          |      |                              |                                       |                                 |             |            | to be vulnerable to memory corruption issues                  |
|                  |          |      |                              |                                       |                                 |             |            | affecting the deflation algorithm implementation              |
|                  |          |      |                              |                                       |                                 |             |            | (deflate.c)...                                                |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                      | 1.36.1-r15                            | fixed in 1.36.1-r16             | > 1 years   | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox              |
|                  |          |      |                              |                                       | > 6 months ago                  |             |            | v.1.36.1 in the next_token function at awk.c:1159.            |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                      | 1.36.1-r15                            | fixed in 1.36.1-r19             | > 1 years   | < 1 hour   | A use-after-free vulnerability was discovered in              |
|                  |          |      |                              |                                       | > 6 months ago                  |             |            | BusyBox v.1.36.1 via a crafted awk pattern in the             |
|                  |          |      |                              |                                       |                                 |             |            | awk.c copyvar function.                                       |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                      | 1.36.1-r15                            | fixed in 1.36.1-r19             | > 1 years   | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1            |
|                  |          |      |                              |                                       | > 6 months ago                  |             |            | allows attackers to cause a denial of service                 |
|                  |          |      |                              |                                       |                                 |             |            | via a crafted awk pattern in the awk.c evaluate               |
|                  |          |      |                              |                                       |                                 |             |            | funct...                                                      |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                      | 1.36.1-r15                            | fixed in 1.36.1-r17             | > 1 years   | < 1 hour   | A use-after-free vulnerability was discovered                 |
|                  |          |      |                              |                                       | > 6 months ago                  |             |            | in xasprintf function in xfuncs_printf.c:344 in               |
|                  |          |      |                              |                                       |                                 |             |            | BusyBox v.1.36.1.                                             |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-0853    | medium   | 5.30 | curl                         | 8.5.0-r0                              | fixed in 8.6.0-r0               | > 10 months | < 1 hour   | curl inadvertently kept the SSL session ID for                |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | connections in its cache even when the verify                 |
|                  |          |      |                              |                                       |                                 |             |            | status (*OCSP stapling*) test failed. A subsequent            |
|                  |          |      |                              |                                       |                                 |             |            | transf...                                                     |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6874    | medium   | 4.30 | curl                         | 8.5.0-r0                              | fixed in 8.9.0-r0               | > 4 months  | < 1 hour   | libcurl\'s URL API function                                   |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) |
|                  |          |      |                              |                                       |                                 |             |            | offers punycode conversions, to and from IDN. Asking to       |
|                  |          |      |                              |                                       |                                 |             |            | conv...                                                       |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2689    | medium   | 0.00 | go.temporal.io/server        | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.5, 1.21.6, 1.22.7 | > 6 months  | < 1 hour   | Denial of Service in Temporal Server prior to                 |
|                  |          |      |                              |                                       | > 6 months ago                  |             |            | version 1.20.5, 1.21.6, and 1.22.7 allows an                  |
|                  |          |      |                              |                                       |                                 |             |            | authenticated user who has permissions to interact            |
|                  |          |      |                              |                                       |                                 |             |            | with wor...                                                   |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-3485    | low      | 3.60 | go.temporal.io/server        | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 3 months  | < 1 hour   | Insecure defaults in open-source Temporal Server              |
|                  |          |      |                              |                                       | > 1 years ago                   |             |            | before version 1.20 on all platforms allows an                |
|                  |          |      |                              |                                       |                                 |             |            | attacker to craft a task token with access to a               |
|                  |          |      |                              |                                       |                                 |             |            | namesp...                                                     |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-9143    | low      | 0.00 | openssl                      | 3.1.4-r5                              | fixed in 3.1.7-r1               | 56 days     | < 1 hour   | Issue summary: Use of the low-level GF(2^m)                   |
|                  |          |      |                              |                                       | 52 days ago                     |             |            | elliptic curve APIs with untrusted explicit values            |
|                  |          |      |                              |                                       |                                 |             |            | for the field polynomial can lead to out-of-bounds            |
|                  |          |      |                              |                                       |                                 |             |            | memo...                                                       |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6119    | low      | 0.00 | openssl                      | 3.1.4-r5                              | fixed in 3.1.7-r0               | > 3 months  | < 1 hour   | Issue summary: Applications performing certificate            |
|                  |          |      |                              |                                       | > 3 months ago                  |             |            | name checks (e.g., TLS clients checking server                |
|                  |          |      |                              |                                       |                                 |             |            | certificates) may attempt to read an invalid                  |
|                  |          |      |                              |                                       |                                 |             |            | memory ...                                                    |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-5535    | low      | 0.00 | openssl                      | 3.1.4-r5                              | fixed in 3.1.6-r0               | > 5 months  | < 1 hour   | Issue summary: Calling the OpenSSL API function               |
|                  |          |      |                              |                                       | > 5 months ago                  |             |            | SSL_select_next_proto with an empty supported                 |
|                  |          |      |                              |                                       |                                 |             |            | client protocols buffer may cause a crash or                  |
|                  |          |      |                              |                                       |                                 |             |            | memory cont...                                                |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-51744   | low      | 0.00 | github.com/golang-jwt/jwt/v4 | v4.5.0                                | fixed in 4.5.1                  | 37 days     | < 1 hour   | golang-jwt is a Go implementation of JSON Web                 |
|                  |          |      |                              |                                       | 37 days ago                     |             |            | Tokens. Unclear documentation of the error                    |
|                  |          |      |                              |                                       |                                 |             |            | behavior in `ParseWithClaims` can lead to                     |
|                  |          |      |                              |                                       |                                 |             |            | situation where use...                                        |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-4741    | low      | 0.00 | openssl                      | 3.1.4-r5                              | fixed in 3.1.6-r0               | 28 days     | < 1 hour   | Issue summary: Calling the OpenSSL API function               |
|                  |          |      |                              |                                       | > 5 months ago                  |             |            | SSL_free_buffers may cause memory to be accessed              |
|                  |          |      |                              |                                       |                                 |             |            | that was previously freed in some situations                  |
|                  |          |      |                              |                                       |                                 |             |            | Impact ...                                                    |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-4603    | low      | 0.00 | openssl                      | 3.1.4-r5                              | fixed in 3.1.5-r0               | > 6 months  | < 1 hour   | Issue summary: Checking excessively long DSA                  |
|                  |          |      |                              |                                       | > 6 months ago                  |             |            | keys or parameters may be very slow.  Impact                  |
|                  |          |      |                              |                                       |                                 |             |            | summary: Applications that use the functions                  |
|                  |          |      |                              |                                       |                                 |             |            | EVP_PKEY_param_...                                            |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-25629   | low      | 0.00 | c-ares                       | 1.24.0-r1                             | fixed in 1.27.0-r0              | > 9 months  | < 1 hour   | c-ares is a C library for asynchronous DNS                    |
|                  |          |      |                              |                                       | > 8 months ago                  |             |            | requests. `ares__read_line()` is used to                      |
|                  |          |      |                              |                                       |                                 |             |            | parse local configuration files such as                       |
|                  |          |      |                              |                                       |                                 |             |            | `/etc/resolv.conf`, `/etc/...                                 |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                      | 3.1.4-r5                              | fixed in 3.1.4-r6               | > 8 months  | < 1 hour   | Issue summary: Some non-default TLS server                    |
|                  |          |      |                              |                                       | > 8 months ago                  |             |            | configurations can cause unbounded memory growth              |
|                  |          |      |                              |                                       |                                 |             |            | when processing TLSv1.3 sessions  Impact summary:             |
|                  |          |      |                              |                                       |                                 |             |            | An attac...                                                   |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2466    | low      | 0.00 | curl                         | 8.5.0-r0                              | fixed in 8.7.1-r0               | > 8 months  | < 1 hour   | libcurl did not check the server certificate of               |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | TLS connections done to a host specified as an IP             |
|                  |          |      |                              |                                       |                                 |             |            | address, when built to use mbedTLS.  libcurl would            |
|                  |          |      |                              |                                       |                                 |             |            | w...                                                          |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2398    | low      | 0.00 | curl                         | 8.5.0-r0                              | fixed in 8.7.1-r0               | > 8 months  | < 1 hour   | When an application tells libcurl it wants to                 |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | allow HTTP/2 server push, and the amount of                   |
|                  |          |      |                              |                                       |                                 |             |            | received headers for the push surpasses the                   |
|                  |          |      |                              |                                       |                                 |             |            | maximum allowed ...                                           |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2379    | low      | 0.00 | curl                         | 8.5.0-r0                              | fixed in 8.7.1-r0               | > 8 months  | < 1 hour   | libcurl skips the certificate verification for                |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | a QUIC connection under certain conditions,                   |
|                  |          |      |                              |                                       |                                 |             |            | when built to use wolfSSL. If told to use an                  |
|                  |          |      |                              |                                       |                                 |             |            | unknown/bad ci...                                             |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2004    | low      | 0.00 | curl                         | 8.5.0-r0                              | fixed in 8.7.1-r0               | > 8 months  | < 1 hour   | When a protocol selection parameter option                    |
|                  |          |      |                              |                                       | > 4 months ago                  |             |            | disables all protocols without adding any then                |
|                  |          |      |                              |                                       |                                 |             |            | the default set of protocols would remain in the              |
|                  |          |      |                              |                                       |                                 |             |            | allowed set...                                                |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+-------------+------------+---------------------------------------------------------------+

Vulnerabilities found for image temporalio/server:1.25.2.0: total - 24, critical - 0, high - 1, medium - 10, low - 13
Vulnerability threshold check results: PASS

Specifications

  • Version: temporalio/server:1.25.2.0
  • Platform:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
potential-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LauVietVan