Addressing a lot of security vulnerabilities in the latest Temporal server release 1.23.0
sonpham96 opened this issue · comments
Expected Behavior
There is no CVE found in the temporalio/server image.
Actual Behavior
There are 27 vulnerabilities found for image temporalio/server:1.23.0, including 5 high, 19 medium and 3 low CVEs.
Scan results:
Scan results for: image temporalio/server:1.23.0 sha256:5ace4dfce78a30f760d9a0550dceef17e47fac11374e83d85a2762cde767ea41
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108 | high | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4 | fixed in 0.46.0 | > 5 months | < 1 hour | OpenTelemetry-Go Contrib is a collection of |
| | | | | | > 5 months ago | | | third-party packages for OpenTelemetry-Go. |
| | | | | | | | | Prior to version 0.46.0, the grpc Unary Server |
| | | | | | | | | Interceptor out ... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108 | high | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0 | fixed in 0.46.0 | > 5 months | < 1 hour | OpenTelemetry-Go Contrib is a collection of |
| | | | | | > 5 months ago | | | third-party packages for OpenTelemetry-Go. |
| | | | | | | | | Prior to version 0.46.0, the grpc Unary Server |
| | | | | | | | | Interceptor out ... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325 | high | 7.50 | golang.org/x/net/http2 | v0.7.0 | fixed in 0.17.0 | > 6 months | < 1 hour | A malicious HTTP/2 client which rapidly creates |
| | | | | | 51 days ago | | | requests and immediately resets them can cause |
| | | | | | | | | excessive server resource consumption. While the |
| | | | | | | | | total ... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487 | high | 5.30 | golang.org/x/net | v0.7.0 | fixed in 0.17.0 | > 6 months | < 1 hour | The HTTP/2 protocol allows a denial of service |
| | | | | | > 6 months ago | | | (server resource consumption) because request |
| | | | | | | | | cancellation can reset many streams quickly, as |
| | | | | | | | | exploited... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487 | high | 5.30 | google.golang.org/grpc | v1.53.0 | fixed in 1.58.3, 1.57.1, 1.56.3 | > 6 months | < 1 hour | The HTTP/2 protocol allows a denial of service |
| | | | | | > 5 months ago | | | (server resource consumption) because request |
| | | | | | | | | cancellation can reset many streams quickly, as |
| | | | | | | | | exploited... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all |
| | | | | | > 1 years ago | | | versions is vulnerable to denial of service. |
| | | | | | | | | Logging more than 64kb of data in a single entry |
| | | | | | | | | without new... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.3.1-r0 | | > 3 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435 | moderate | 4.30 | github.com/temporalio/ui-server/v2 | v2.21.3 | fixed in 2.25.0 | 14 days | < 1 hour | For an attacker with pre-existing access to send |
| | | | | | 14 days ago | | | a signal to a workflow, the attacker can make the |
| | | | | | | | | signal name a script that executes when a victim |
| | | | | | | | | vi... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180 | moderate | 0.00 | gopkg.in/square/go-jose.v2 | v2.6.0 | fixed in | 39 days | < 1 hour | Package jose aims to provide an implementation |
| | | | | | 32 days ago | | | of the Javascript Object Signing and Encryption |
| | | | | | | | | set of standards. An attacker could send a JWE |
| | | | | | | | | containi... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304 | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize | v5.4.3 | fixed in 5.5.4 | 42 days | < 1 hour | pgx: SQL Injection via Protocol Message Size |
| | | | | | 33 days ago | | | Overflow |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304 | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3 | v5.4.3 | fixed in 5.5.4 | 42 days | < 1 hour | pgx: SQL Injection via Protocol Message Size |
| | | | | | 33 days ago | | | Overflow |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304 | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn | v5.4.3 | fixed in 5.5.4 | 42 days | < 1 hour | pgx: SQL Injection via Protocol Message Size |
| | | | | | 33 days ago | | | Overflow |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | 42 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 42 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | 42 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 42 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.28.1 | fixed in 1.33.0 | 42 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 42 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.28.1 | fixed in 1.33.0 | 42 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 42 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.22.0 | fixed in 0.23.0 | 12 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 12 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | net/http | 1.22.1 | fixed in 1.21.9, 1.22.2 | 12 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 12 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.7.0 | fixed in 0.23.0 | 12 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 12 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.18.0 | fixed in 0.23.0 | 12 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 12 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485 | low | 3.00 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0 | > 9 months | < 1 hour | Insecure defaults in open-source Temporal Server |
| | | | | | > 9 months ago | | | before version 1.20 on all platforms allows an |
| | | | | | | | | attacker to craft a task token with access to a |
| | | | | | | | | namesp... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629 | low | 0.00 | c-ares | 1.24.0-r1 | fixed in 1.27.0-r0 | 53 days | < 1 hour | c-ares is a C library for asynchronous DNS |
| | | | | | 22 days ago | | | requests. `ares__read_line()` is used to |
| | | | | | | | | parse local configuration files such as |
| | | | | | | | | `/etc/resolv.conf`, `/etc/... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | n/a | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 7 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image temporalio/server:1.23.0: total - 27, critical - 0, high - 5, medium - 19, low - 3
Vulnerability threshold check results: PASS
Compliance found for image temporalio/server:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASSSteps to Reproduce the Problem
- Pull the latest image
temporalio/server:1.23.0from Dockerhub - Scan the image with any vulnerability scanner
Specifications
- Version:
1.23.0 - Platform: N/A