Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): upgrade web3 to upgrade elliptic > 6.5.4 #1639

Closed
petermetz opened this issue Dec 8, 2021 · 0 comments · Fixed by #1640
Closed

fix(security): upgrade web3 to upgrade elliptic > 6.5.4 #1639

petermetz opened this issue Dec 8, 2021 · 0 comments · Fixed by #1640
Assignees
@petermetz
Labels
Besu dependencies Pull requests that update a dependency file P1 Priority 1: Highest Quorum Security Related to existing or potential security vulnerabilities Xdai Tasks/bugs related to the Xdai network and the corresponding ledger connector plugin in Cactus

Comments

@petermetz
Copy link
Contributor

petermetz commented Dec 8, 2021
edited
Loading

Took for web3 versions in package.json files:
grep -r -i --include=package.json '"web3' ./ --exclude-dir=node_modules

$ grep -r -i --include=package.json '"web3' ./ --exclude-dir=node_modules
./packages/cactus-plugin-ledger-connector-go-ethereum-socketio/package.json:    "web3": "^0.20.0"
./packages/cactus-plugin-ledger-connector-go-ethereum-socketio/src/test/typescript/unit-test/package.json:    "web3": "^1.2.9",
./packages/cactus-plugin-htlc-eth-besu/package.json:    "web3": "1.5.2",
./packages/cactus-plugin-htlc-eth-besu/package.json:    "web3-eea": "0.11.0"
./packages/cactus-test-plugin-ledger-connector-quorum/package.json:    "web3": "1.5.2"
./packages/cactus-test-plugin-ledger-connector-besu/package.json:    "web3": "1.5.2",
./packages/cactus-test-plugin-ledger-connector-besu/package.json:    "web3-eea": "0.11.0"
./packages/cactus-plugin-ledger-connector-xdai/package.json:    "web3": "1.5.2",
./packages/cactus-plugin-ledger-connector-xdai/package.json:    "web3-utils": "1.5.2"
./packages/cactus-test-api-client/package.json:    "web3": "1.5.2"
./packages/cactus-test-tooling/package.json:    "web3": "1.5.2",
./packages/cactus-test-tooling/package.json:    "web3-core": "1.5.2"
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3": "1.5.2",
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3-core": "1.5.2",
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3-eea": "0.11.0",
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3-eth": "1.5.2",
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3-utils": "1.5.2"
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3-core": "1.5.1",
./packages/cactus-plugin-ledger-connector-besu/package.json:    "web3-eth": "1.5.1"
./packages/cactus-plugin-odap-hermes/package.json:    "web3": "1.2.7",
./packages/cactus-plugin-odap-hermes/package.json:    "web3-utils": "1.2.7"
./packages/cactus-test-plugin-htlc-eth-besu/package.json:    "web3": "1.5.2",
./packages/cactus-test-plugin-htlc-eth-besu/package.json:    "web3-eea": "0.11.0"
./packages/cactus-cmd-socketio-server/package.json:    "web3": "^1.2.9",
./packages/cactus-plugin-ledger-connector-quorum/package.json:    "web3": "1.5.2",
./packages/cactus-plugin-ledger-connector-quorum/package.json:    "web3-eth-contract": "1.5.2"
./packages/cactus-plugin-ledger-connector-quorum/package.json:    "web3-eth": "1.5.2"
./contribs/Fujitsu-ConnectionChain/connection-chain/environment/sample/cc_env/servers/cooperation/ecSide/connector/lib/ec2_dependent/package.json:    "web3": "^0.20.0"
./contribs/Fujitsu-ConnectionChain/connection-chain/environment/sample/cc_env/servers/cooperation/ecSide/connector/lib/ec1_dependent/package.json:    "web3": "^0.20.0"
./examples/cartrade/package.json:    "web3": "^1.2.9",
./examples/cartrade/validatorDriver/package.json:    "web3": "^1.2.9",
./examples/cartrade/script-test-getFunctions/go-ethereum/package.json:    "web3": "^0.20.7"
./examples/cactus-example-supply-chain-backend/package.json:    "web3-core": "1.5.2"
./examples/electricity-trade/package.json:    "web3": "^1.2.9",
./examples/electricity-trade/tools/transferNumericAsset/package.json:    "web3": "^1.2.9",
./examples/discounted-cartrade/package.json:    "web3": "^1.2.9",
./examples/discounted-cartrade/validatorDriver/package.json:    "web3": "^1.2.9",
./examples/discounted-cartrade/script-test-getFunctions/go-ethereum/package.json:    "web3": "^0.20.7"
./examples/test-run-transaction/package.json:    "web3": "^1.2.9",
./examples/cactus-example-carbon-accounting-backend/package.json:    "web3-core": "1.5.2",
./examples/cactus-example-carbon-accounting-backend/package.json:    "web3-utils": "1.5.2"

2 elliptic vulnerabilities found in yarn.lock 16 days ago
Remediation
Upgrade elliptic to version 6.5.4 or later. For example:

elliptic@^6.5.4:
version "6.5.4"
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-28498 GHSA-r9p9-mrjm-926w
moderate severity
Vulnerable versions: < 6.5.4
Patched version: 6.5.4
The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

CVE-2020-13822 GHSA-vh7m-p724-62c2
high severity
Vulnerable versions: < 6.5.3
Patched version: 6.5.3
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Assignees:@petermetz
Labels: Security,dependencies,P1,bug
@petermetz petermetz self-assigned this Dec 8, 2021
@petermetz petermetz added dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities Besu Quorum Xdai Tasks/bugs related to the Xdai network and the corresponding ledger connector plugin in Cactus labels Dec 8, 2021
petermetz added a commit to petermetz/cacti that referenced this issue Dec 8, 2021
@petermetz
fix(security): upgrade web3 to upgrade elliptic > 6.5.4
63be4b1 
Upgrade the web3 packages in besu connector and the hermes ODAP plugin
to eliminate some of the security vulnerabilities that were reported by the
robots.

Fixes hyperledger-cacti#1639

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Dec 8, 2021
Merged
petermetz added a commit that referenced this issue Dec 11, 2021
@petermetz
fix(security): upgrade web3 to upgrade elliptic > 6.5.4
5513848 
Upgrade the web3 packages in besu connector and the hermes ODAP plugin
to eliminate some of the security vulnerabilities that were reported by the
robots.

Fixes #1639

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
Besu dependencies Pull requests that update a dependency file P1 Priority 1: Highest Quorum Security Related to existing or potential security vulnerabilities Xdai Tasks/bugs related to the Xdai network and the corresponding ledger connector plugin in Cactus
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(security): upgrade web3 to upgrade elliptic > 6.5.4 petermetz/cacti
1 participant
@petermetz