Security vulnerability - CVE-2023-38325

[bnaganathan]

OCI is pulling cryptography (version 40.0.2) as one of its dependencies.

bash-4.2# pip3 show oci
Name: oci
Version: 2.110.1
Summary: Oracle Cloud Infrastructure Python SDK
Home-page: https://docs.oracle.com/en-us/iaas/tools/python/latest/index.html
Author: Oracle
Author-email: joe.levy@oracle.com
License: Universal Permissive License 1.0 or Apache License 2.0
Location: /usr/local/lib/python3.6/site-packages
Requires: certifi, circuitbreaker, cryptography, pyOpenSSL, python-dateutil, pytz
Required-by: vaultpythonsdk
bash-4.2# pip3 show cryptography
Name: cryptography
Version: 40.0.2
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The Python Cryptographic Authority and individual contributors
Author-email: cryptography-dev@python.org
License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
Location: /usr/local/lib64/python3.6/site-packages
Requires: cffi
Required-by: oci, pyOpenSSL

Cryptography:40.0.2 has this security vulnerability -
GHSA-cf7p-gm2m-833m
https://nvd.nist.gov/vuln/detail/CVE-2023-38325

Can we please get this fixed by fixing the cryptography version as >= 41.0.0

[KartikShrikantHegde]

Hi @bnaganathan , thanks for reporting it, we will take a look as soon as we can. Thanks.

[bhagwatvyas]

Hi @bnaganathan oci allows cryptography>=41.0.0, please see https://github.com/oracle/oci-python-sdk/blob/master/setup.py#L35 ("cryptography>=3.2.1,<42.0.0"). You can choose a version of cryptography within this range.
If you installed oci as a dependency of another library, does that library have its own restrictions on cryptography versions?

[bnaganathan]

It is not an issue with OCI. We are using old version of python (3.6). We are going to upgrade Python to fix this vulnerability.