Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: address CVE-2024-24790 in 1.6.0 #188

Closed
cmontemuino opened this issue Jul 4, 2024 · 1 comment
Closed

Security: address CVE-2024-24790 in 1.6.0 #188

cmontemuino opened this issue Jul 4, 2024 · 1 comment

Comments

@cmontemuino
Copy link

Our scanner (Trivy) is showing the following critical vulnerability: https://avd.aquasec.com/nvd/2024/cve-2024-24790/

──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH     │ fixed  │ v0.16.0           │ 0.17.0                           │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-24790 │ CRITICAL │        │ 1.19.13           │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│                  │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                  ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39325 │ HIGH     │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                  ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│                  │                │          │        │                   │                                  │ prefix as...                                                 │
│                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│                  ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45287 │          │        │                   │ 1.20.0                           │ golang: crypto/tls: Timing Side Channel attack in RSA based  │
│                  │                │          │        │                   │                                  │ TLS key exchanges....                                        │
│                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45287                   │
│                  ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│                  │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

👉 According to our scanner, the image has been built with go 1.19.13, which does match with go.mod file.

  • How are you building the operator image?

The following is to run govulncheck against the branch supposeldly used to build operator image version 1.6.0:

git clone git@github.com:selectdb/doris-operator.git
cd doris-operator
git checkout 1.6.0
go install golang.org/x/vuln/cmd/govulncheck@latest
# go: downloading golang.org/x/vuln v1.1.2
go mod tidy
govulncheck ./...
SEE FULL REPORT 
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.21.7
    Fixed in: net/http@go1.21.12
    Example traces found:
      #1: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which calls http.Client.Do

Vulnerability #2: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/netip@go1.21.7
    Fixed in: net/netip@go1.21.11
    Example traces found:
      #1: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls netip.Addr.IsLoopback
      #2: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls netip.Addr.IsMulticast

Vulnerability #3: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.16.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: client/clientset/versioned/clientset.go:67:39: versioned.NewForConfig calls rest.HTTPClientFor, which eventually calls http2.ConfigureTransports
      #2: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.ConnectionError.Error
      #3: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.ErrCode.String
      #4: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.FrameHeader.String
      #5: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.FrameType.String
      #6: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.GoAwayError.Error
      #7: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.Setting.String
      #8: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.SettingID.String
      #9: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.StreamError.Error
      #10: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.Transport.NewClientConn
      #11: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.Transport.RoundTrip
      #12: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http2.chunkWriter.Write
      #13: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.connError.Error
      #14: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.duplicatePseudoHeaderError.Error
      #15: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.gzipReader.Close
      #16: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http2.gzipReader.Read
      #17: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.headerFieldNameError.Error
      #18: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.headerFieldValueError.Error
      #19: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #20: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.pseudoHeaderError.Error
      #21: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http2.stickyErrWriter.Write
      #22: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.transportResponseBody.Close
      #23: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http2.transportResponseBody.Read
      #24: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.writeData.String

  Standard library
    Found in: net/http@go1.21.7
    Fixed in: net/http@go1.21.9
    Example traces found:
      #1: cmd/operator/main.go:133:48: operator.main calls manager.controllerManager.GetWebhookServer, which eventually calls http.CanonicalHeaderKey
      #2: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which calls http.Client.Do
      #3: client/clientset/versioned/typed/doris/v1/doriscluster.go:190:7: doris.dorisClusters.Patch calls rest.Request.Body, which eventually calls http.Header.Add
      #4: client/clientset/versioned/typed/doris/v1/doriscluster.go:190:7: doris.dorisClusters.Patch calls rest.Request.Body, which eventually calls http.Header.Del
      #5: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.Header.Get
      #6: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe
      #7: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.NewRequest
      #8: cmd/operator/main.go:154:21: operator.main calls manager.controllerManager.Start, which eventually calls http.Server.Serve
      #9: cmd/operator/main.go:154:21: operator.main calls manager.controllerManager.Start, which eventually calls http.Server.Shutdown
      #10: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.body.Close
      #11: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.body.Read
      #12: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.bodyEOFSignal.Close
      #13: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.bodyEOFSignal.Read
      #14: pkg/common/utils/resource/configmap.go:103:20: resource.ResolveConfigMaps calls viper.ReadConfig, which eventually calls http.bodyLocked.Read
      #15: pkg/common/utils/mysql/mysql.go:39:20: mysql.DB.Close calls sql.DB.Close, which eventually calls http.bufioFlushWriter.Write
      #16: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.cancelTimerBody.Close
      #17: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.cancelTimerBody.Read
      #18: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.checkConnErrorWriter.Write
      #19: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.chunkWriter.Write
      #20: pkg/common/utils/resource/configmap.go:103:20: resource.ResolveConfigMaps calls viper.ReadConfig, which eventually calls http.connReader.Read
      #21: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.expectContinueReader.Close
      #22: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.expectContinueReader.Read
      #23: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.gzipReader.Close
      #24: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.gzipReader.Read
      #25: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2ConnectionError.Error
      #26: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2ErrCode.String
      #27: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2FrameHeader.String
      #28: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2FrameType.String
      #29: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2FrameWriteRequest.String
      #30: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2GoAwayError.Error
      #31: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2Setting.String
      #32: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2SettingID.String
      #33: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2StreamError.Error
      #34: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.http2chunkWriter.Write
      #35: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2connError.Error
      #36: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2duplicatePseudoHeaderError.Error
      #37: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.http2gzipReader.Close
      #38: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.http2gzipReader.Read
      #39: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2headerFieldNameError.Error
      #40: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2headerFieldValueError.Error
      #41: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2pseudoHeaderError.Error
      #42: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.http2requestBody.Close
      #43: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.http2requestBody.Read
      #44: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.http2responseWriter.Write
      #45: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.http2responseWriter.WriteHeader
      #46: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which eventually calls http.http2responseWriter.WriteString
      #47: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.http2stickyErrWriter.Write
      #48: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.http2transportResponseBody.Close
      #49: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.http2transportResponseBody.Read
      #50: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2writeData.String
      #51: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.loggingConn.Write
      #52: pkg/common/utils/resource/configmap.go:103:20: resource.ResolveConfigMaps calls viper.ReadConfig, which eventually calls http.maxBytesReader.Read
      #53: cmd/operator/main.go:133:48: operator.main calls manager.controllerManager.GetWebhookServer, which eventually calls http.onceCloseListener.Close
      #54: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.persistConn.Read
      #55: pkg/common/utils/mysql/mysql.go:39:20: mysql.DB.Close calls sql.DB.Close, which eventually calls http.persistConnWriter.ReadFrom
      #56: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.persistConnWriter.Write
      #57: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.readTrackingBody.Close
      #58: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.readTrackingBody.Read
      #59: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.readWriteCloserBody.Read
      #60: pkg/common/utils/mysql/mysql.go:39:20: mysql.DB.Close calls sql.DB.Close, which eventually calls http.response.ReadFrom
      #61: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.response.Write
      #62: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.response.WriteHeader
      #63: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which eventually calls http.response.WriteString
      #64: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.timeoutWriter.Write
      #65: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.timeoutWriter.WriteHeader
      #66: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.transportReadFromServerError.Error

Vulnerability #4: GO-2024-2600
    Incorrect forwarding of sensitive headers and cookies on HTTP redirect in
    net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2600
  Standard library
    Found in: net/http@go1.21.7
    Fixed in: net/http@go1.21.8
    Example traces found:
      #1: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which calls http.Client.Do

Vulnerability #5: GO-2024-2599
    Memory exhaustion in multipart form parsing in net/textproto and net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2599
  Standard library
    Found in: net/textproto@go1.21.7
    Fixed in: net/textproto@go1.21.8
    Example traces found:
      #1: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls textproto.Reader.ReadLine
      #2: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls textproto.Reader.ReadMIMEHeader

Vulnerability #6: GO-2024-2598
    Verify panics on certificates with an unknown public key algorithm in
    crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2024-2598
  Standard library
    Found in: crypto/x509@go1.21.7
    Fixed in: crypto/x509@go1.21.8
    Example traces found:
      #1: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls x509.Certificate.Verify

Your code is affected by 6 vulnerabilities from the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
@intelligentfu
Copy link
Contributor

Oh, the image is built with github action, the dockerfile use 1.19 as builder not match go.mod. I will fix it in the next patch version. I will look into Trivy to check our code. thanks for your work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cmontemuino @intelligentfu @intelligentfu8