GO vulnerability for version 1.20.3 - CVE-2023-24540

Question

GO vulnerability for version 1.20.3 - CVE-2023-24540

pranay-harness opened this issue a year ago · comments

A recent CVE has been tagged by the scanners for version 1.20.3

Please bump the version to 1.20.4

Jonathan Landis · Answer 1 · Sat Jun 03 2023 01:40:28 GMT+0800 (China Standard Time)

See also https://nvd.nist.gov/vuln/detail/CVE-2023-29400. I don't see any actual usage of the vulnerable functions though. Did I overlook something? There is of course some value in getting scanners to be quiet.

Ahmet Alp Balkan · Answer 2 · Sat Jun 03 2023 07:19:01 GMT+0800 (China Standard Time)

Sadly the scanners are notoriously useless and almost never there's an attack vector that can exploit something in your sidecar probe that's only available over the loopback interface and gets no user traffic. I will try to get to bumping deps sometime.

Piotr Jachowicz · Answer 3 · Sun Jun 04 2023 14:28:24 GMT+0800 (China Standard Time)

US federal bodies require FedRamp, whose part is periodic scan and vulnerabilities management (fix time depends on the score). If you are a software engineer and the scan shows vulnerability in grpc-health-probe you have two options: i. persuade Ahmet to upgrade, or ii, analyze the vulnerability, justify why it cannot be used for an attack and request for redemption. Option ii. requires security knowledge, brevity, and lots of paperwork. Over time stale software accumulates more and more vulnerabilities found and amount of work is growing. Upgrade is safer and cheaper (at least from the grpc-health-probe user's point of view :-) Piotr sob., 3 cze 2023 o 01:19 Ahmet Alp Balkan ***@***.***> napisał(a):

…

Sadly the scanners are notoriously useless and almost never there's an attack vector that can exploit something in your sidecar probe that's only available over the loopback interface and gets no user traffic. I will try to get to bumping deps sometime. — Reply to this email directly, view it on GitHub <#144 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADWSR3LDWKXOBPTUKO7QIDXJJYHDANCNFSM6AAAAAAYYOBQNU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Piotr Jachowicz

Marwan Ahmed · Answer 4 · Mon Jun 05 2023 05:56:46 GMT+0800 (China Standard Time)

which scanner are you using? Google container scanner is flagging that CVE for our images but trivy isn't so I'm wondering if it's a false positive because I don't see a use of the vulnerable function.

Pranay Shah · Answer 5 · Mon Jun 05 2023 22:08:10 GMT+0800 (China Standard Time)

This is reported in Prismacloud scans

Piotr Jachowicz · Answer 6 · Tue Jun 06 2023 01:18:54 GMT+0800 (China Standard Time)

I think the scanning engine underneath is Twistlock pon., 5 cze 2023 o 16:08 Pranay Shah ***@***.***> napisał(a):

…

This is reported in Prismacloud scans — Reply to this email directly, view it on GitHub <#144 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADWSR47EXBCNRR7RZWEGKDXJXR5JANCNFSM6AAAAAAYYOBQNU> . You are receiving this because you commented.Message ID: ***@***.***>

-- Piotr Jachowicz

Pranay Shah · Answer 7 · Fri Jun 09 2023 17:13:35 GMT+0800 (China Standard Time)

Sadly the scanners are notoriously useless and almost never there's an attack vector that can exploit something in your sidecar probe that's only available over the loopback interface and gets no user traffic. I will try to get to bumping deps sometime.

Agree most of the time these are false positives, but would be grateful if the version can be bumped up to 1.20.5

Also GO 1.20.5 released due to vulnerabilities identified in 1.20.4
https://groups.google.com/g/golang-announce/c/q5135a9d924

Soumyajit Das · Answer 8 · Mon Jun 12 2023 18:23:00 GMT+0800 (China Standard Time)

Can we upgrade the go version to 1.20.5 ?