Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the Temporalio/server release v1.26.2 #7122

Open
thle40 opened this issue Jan 20, 2025 · 1 comment
Open

Addressing a lot of security vulnerabilities in the Temporalio/server release v1.26.2 #7122

thle40 opened this issue Jan 20, 2025 · 1 comment

Comments

@thle40
Copy link

thle40 commented Jan 20, 2025
edited
Loading

Expected Behavior

No more CVEs found.
Actual Behavior

There are a lot of CVEs found from the latest Temporal image:
temporalio/server:1.26.2
Steps to Reproduce the Problem

Pull the latest image temporalio/server:1.26.2  from Dockerhub
Scan the image with any vulnerability scanner

|       CVE        | SEVERITY | CVSS |          PACKAGE           |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9681    | medium   | 6.50 | curl                       | 8.9.1-r2                              | fixed in 8.11.0-r0              | 71 days    | < 1 hour   | When curl is asked to use HSTS, the expiry time    |
|                  |          |      |                            |                                       | 71 days ago                     |            |            | for a subdomain might overwrite a parent domain\'s |
|                  |          |      |                            |                                       |                                 |            |            | cache entry, making it end sooner or later than    |
|                  |          |      |                            |                                       |                                 |            |            | oth...                                             |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus | v1.4.2                                | fixed in v1.9.3                 | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                            |                                       | > 1 years ago                   |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                            |                                       |                                 |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                            |                                       |                                 |            |            | without new...                                     |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2689    | medium   | 0.00 | go.temporal.io/server      | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.5, 1.21.6, 1.22.7 | > 7 months | < 1 hour   | Denial of Service in Temporal Server prior to      |
|                  |          |      |                            |                                       | > 7 months ago                  |            |            | version 1.20.5, 1.21.6, and 1.22.7 allows an       |
|                  |          |      |                            |                                       |                                 |            |            | authenticated user who has permissions to interact |
|                  |          |      |                            |                                       |                                 |            |            | with wor...                                        |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.60 | go.temporal.io/server      | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 4 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                            |                                       | > 1 years ago                   |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                            |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                            |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9143    | low      | 0.00 | openssl                    | 3.3.2-r0                              | fixed in 3.3.2-r1               | > 3 months | < 1 hour   | Issue summary: Use of the low-level GF(2^m)        |
|                  |          |      |                            |                                       | 88 days ago                     |            |            | elliptic curve APIs with untrusted explicit values |
|                  |          |      |                            |                                       |                                 |            |            | for the field polynomial can lead to out-of-bounds |
|                  |          |      |                            |                                       |                                 |            |            | memo...                                            |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-8096    | low      | 0.00 | curl                       | 8.9.1-r2                              | fixed in 8.10.0-r0              | > 4 months | < 1 hour   | When curl is told to use the Certificate Status    |
|                  |          |      |                            |                                       | > 4 months ago                  |            |            | Request TLS extension, often referred to as OCSP   |
|                  |          |      |                            |                                       |                                 |            |            | stapling, to verify that the server certificate is |
|                  |          |      |                            |                                       |                                 |            |            | va...                                              |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-11053   | low      | 0.00 | curl                       | 8.9.1-r2                              | fixed in 8.11.1-r0              | 36 days    | < 1 hour   | When asked to both use a `.netrc` file for         |
|                  |          |      |                            |                                       | 35 days ago                     |            |            | credentials and to follow HTTP redirects, curl     |
|                  |          |      |                            |                                       |                                 |            |            | could leak the password used for the first host to |
|                  |          |      |                            |                                       |                                 |            |            | the follo...                                       |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+```
@od82078
Copy link

od82078 commented Jan 21, 2025

Are there any plans to address these vulnerabilities? Haven't seen any indication of this happening on the similar issue for v1.25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@od82078 @thle40