Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: suggestion regarding GO-2022-0646 #3285

Open
jcmackie opened this issue Nov 22, 2024 · 4 comments
Open

x/vulndb: suggestion regarding GO-2022-0646 #3285

jcmackie opened this issue Nov 22, 2024 · 4 comments
Assignees
@tatianab
Labels
Suggested Edit

Comments

@jcmackie
Copy link

Report ID

GO-2022-0646

Suggestion/Comment

Hello team,

I wanted to let you know that we've recently become aware that aws-sdk-go is still vulnerable to CVE-2020-8911.

CVE-2020-8911 is listed as an alias of GO-2022-0646, which I think might not be true as they are different vulnerabilities, I believe.

You can see where some other sites classify even the latest version of this library as still vulnerable:
https://nvd.nist.gov/vuln/detail/cve-2020-8911

Up to (excluding) 2.0

https://www.cve.org/CVERecord?id=CVE-2020-8911

affected from stable through V1

We have even confirmed with AWS themselves that the V1 clients which are still part of the SDK are still vulnerable to this issue.
They have decided to keep them in the library and accessible for compatibility reasons.

If you can update the status for your VULN DB for this library, that will make it easier for teams and projects to understand the risk, and hopefully encourage them to upgrade to V2.

Regards,
James Mackie
@tatianab tatianab self-assigned this Dec 9, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/635736 mentions this issue: data/reports: add GO-2022-0635, review GO-2022-0646

gopherbot pushed a commit that referenced this issue Dec 12, 2024
@tatianab @gopherbot
data/reports: add GO-2022-0635, review GO-2022-0646
dee8c78 
Split GO-2022-0646 into 2 reports. (They are different vulnerabilities
which we had previously decided to merge - this is in line with our
new goal of closely matching the structure of 3rd party reports).

Remove the fixed version which is not correct. The vulnerability
is present in all of V1. Add a note so we don't re-introduce the mistake.

  - data/reports/GO-2022-0635.yaml
  - data/reports/GO-2022-0646.yaml

Fixes #635
Fixes #646
Updates #3285

Change-Id: I6a3c4547015a24489f2d62bb9b8fffebd927cef0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635736
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
@tatianab
Copy link
Contributor

Hi, thanks for bringing this up. I have split the reports and removed the fixed version.

@jcmackie
Copy link
Author

Thanks so much for the quick response @tatianab.

I was just curious about one thing. In the new report that's been created, the CVE ID is:

cves:
    - CVE-2020-8912

But I think it should probably be CVE-2020-8911, unless I am mistaken about that?
CVE-2020-8912 is a similar but different attack on AES-GCM used in the V1 clients.

Interesting to note is that AWS say in their blog about this:

As AES-GCM is now supported and performant in all modern runtimes and languages, we’re removing AES-CBC as an option for encrypting new objects.

But as far as I can tell, it's still trivially easy to use AES-CBC to encrypt new objects using the V1 clients.

Kind regards,
James

@tatianab tatianab reopened this Dec 13, 2024
@tatianab
Copy link
Contributor

Hi @jcmackie, apologies for the delay. There are now two reports: https://pkg.go.dev/vuln/GO-2022-0635 covering CVE-2020-8912 and https://pkg.go.dev/vuln/GO-2022-0646 covering CVE-2020-8911. Is this correct, or is there still something that should be changed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
Suggested Edit
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jcmackie @tatianab @gopherbot