Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): vulnerabilities found in cactus-connector-besu #2040

Closed
zondervancalvez opened this issue May 24, 2022 · 4 comments
Closed

fix(security): vulnerabilities found in cactus-connector-besu #2040

zondervancalvez opened this issue May 24, 2022 · 4 comments
Labels
Besu dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@zondervancalvez
Copy link
Contributor

List of vulnerabilities found in cactus-connector-besu image during Azure Container scan.

VULNERABILITY ID PACKAGE NAME SEVERITY
CVE-2022-24407 libsasl2-2 HIGH
CVE-2022-24407 libsasl2-modules HIGH
CVE-2022-24407 libsasl2-modules-db HIGH
CVE-2021-3711 libssl1.1 HIGH
CVE-2022-0778 libssl1.1 HIGH
CVE-2021-3711 openssl HIGH
CVE-2022-0778 openssl HIGH
CVE-2021-3807 ansi-regex HIGH
CVE-2021-3807 ansi-regex HIGH
CVE-2021-43138 async HIGH
CVE-2021-3749 axios HIGH
CVE-2022-22143 convict HIGH
CVE-2022-21676 engine.io HIGH
CVE-2020-8203 lodash HIGH
CVE-2021-23337 lodash HIGH
CVE-2022-24771 node-forge HIGH
CVE-2022-24772 node-forge HIGH
CVE-2021-32803 tar HIGH
CVE-2021-32804 tar HIGH
CVE-2021-37701 tar HIGH
CVE-2021-37712 tar HIGH
CVE-2021-37713 tar HIGH
CVE-2021-23358 underscore HIGH
@petermetz petermetz added P1 Priority 1: Highest Besu dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities labels May 31, 2022
@petermetz
Copy link
Contributor

Depends on #2054

@aldousalvarez
Copy link
Contributor

Hello @petermetz Can you assign me on this one? Thank you!

@aldousalvarez
Copy link
Contributor

Hello @petermetz after examining the vulnerabilities, Below is the table of the proposed solution for vulnerabilities found in cactus-connector-besu

<style> </style>
VULNERABILITY ID PACKAGE NAME SOLUTION (version) AFFECTED VERSION PROPOSED SOLUTION
CVE-2022-24407 libsasl2-2     after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-24407 libsasl2-modules     after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-24407 libsasl2-modules-db     after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3711 libssl1.1     after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-0778 libssl1.1 300.0.5 111.18 Affected versions openssl-rc >= 300.0, < 300.0.5 < 111.18 after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3711 openssl     after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-0778 openssl 300.0.5 111.18 Affected versions openssl-rc >= 300.0, < 300.0.5 < 111.18 after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3807 ansi-regex 6.0.1 5.0.1 4.1.1 3.0.1 Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1 already the Solution (version)
CVE-2021-3807 ansi-regex 6.0.1 5.0.1 4.1.1 3.0.1 Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1 already the Solution(version)
CVE-2021-43138 async 3.2.2 2.6.4 Affected versions >= 3.0.0, < 3.2.2 >= 2.0.0, < 2.6.4 after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3749 axios 0.21.2 Affected versions < 0.21.2 after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-22143 convict 6.2.3 Affected versions < 6.2.3 already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/cactus-cmd-api-server@1.1.0)
CVE-2022-21676 engine.io 4.1.2 5.2.1 6.1.1 Affected versions >= 4.0.0, < 4.1.2 >= 5.0.0, < 5.2.1 >= 6.0.0, < 6.1.1 the version that is being used is more latest than the solution version
CVE-2020-8203 lodash 4.17.20 Affected versions < 4.17.20 already done (need to release @hyperledger/cactus-plugin-ledger-connector-besu@1.1.0 version of the package)
CVE-2021-23337 lodash 4.17.21 Affected versions < 4.17.21 already done (need to release @hyperledger/cactus-plugin-ledger-connector-besu@1.1.0 version of the package)
CVE-2022-24771 node-forge 1.3.0 Affected versions < 1.3.0 already the correct version used by cactus (need to release v@1.1.0)
CVE-2022-24772 node-forge 1.3.0 Affected versions < 1.3.0 already the correct version used by cactus (need to release v@1.1.0)
CVE-2021-32803 tar 3.2.3 4.4.15 5.0.7 6.1.2 Affected versions < 3.2.3 >= 4.0.0, < 4.4.15 >= 5.0.0, < 5.0.7 >= 6.0.0, < 6.1.2 This is already fixed in our current package version which is 4.4.19
CVE-2021-32804 tar 3.2.2 4.4.14 5.0.6 6.1.1 Affected versions < 3.2.2 >= 4.0.0, < 4.4.14 >= 5.0.0, < 5.0.6 >= 6.0.0, < 6.1.1 This is already fixed in our current package version which is 4.4.19
CVE-2021-37701 tar 4.4.16 5.0.8 6.1.7 Affected versions < 4.4.16 >= 5.0.0, < 5.0.8 >= 6.0.0, < 6.1.7 This is already fixed in our current package version which is 6.1.11
CVE-2021-37712 tar 4.4.18 5.0.10 6.1.9 Affected versions < 4.4.18 >= 5.0.0, < 5.0.10 >= 6.0.0, < 6.1.9 This is already fixed in our current package version which is 6.1.11
CVE-2021-37713 tar 4.4.18 5.0.10 6.1.9 Affected versions < 4.4.18 >= 5.0.0, < 5.0.10 >= 6.0.0, < 6.1.9 This is already fixed in our current package version which is 6.1.11
CVE-2021-23358 underscore 1.12.1 Affected versions >= 1.3.2, < 1.12.1 already done (need to release @hyperledger/cactus-plugin-ledger-connector-besu@1.1.0 version of the package)
additional vulnerabilities detected after the latest scan        
CVE-2022-24434 dicer <= 0.3.1 None can be fixed by upgrading the express-openapi-validator v 4.13.8 at packages/cactus-core/package.json
CVE-2021-3918 json-schema <0.4.0 0.4.0 already the solution (version) no packages are using the affected version
CVE-2022-21190 convict <6.2.3 6.2.3 already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/cactus-cmd-api-server@1.1.0)
CVE-2022-25878 protobufjs 6.11.3 Affected versions < 6.11.3 This is already fixed in our current package version which is 6.11.3
CVE-2022-29244 npm 8.11.0 >= 7.9.0, < 8.11.0 needs updated cactus-cmd-api-server image with the fix of this new ticket #2136
CVE-2021-39135 "@npmcli/arborist" 2.8.2 <2.8.2 needs updated cactus-cmd-api-server image with the fix of this ticket #2136

aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Dec 23, 2022
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
03b760d 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
@aldousalvarez aldousalvarez mentioned this issue Dec 23, 2022
Closed
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Dec 23, 2022
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
67f7c48 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 3, 2023
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
048257a 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 4, 2023
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
3c61d5e 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 4, 2023
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
74ce012 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 4, 2023
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
6973b08 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Feb 1, 2023
@aldousalvarez
fix(security): vulnerabilities found in cactus-connector-besu
ce63556 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
ruzell22 pushed a commit to ruzell22/cactus that referenced this issue Mar 15, 2023
@aldousalvarez @ruzell22
fix(security): vulnerabilities found in cactus-connector-besu
54a1077 
Fixes hyperledger-cacti#2040

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Mar 29, 2023
@aldousalvarez
fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999
c86a61f 
Fixes hyperledger-cacti#2040

These changes will fix the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Apr 5, 2023
@aldousalvarez
fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999
6df4b7b 
Fixes hyperledger-cacti#2040

These changes will fix the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
@petermetz
Copy link
Contributor

Fixed in another pull request, see the PR page for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Besu dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999 aldousalvarez/cactus
3 participants
@petermetz @zondervancalvez @aldousalvarez