Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Added vulnerability fixes for gorestlful gopkg & OS vulnerabilities in golang:1.20-alpine3.16 #11538

Merged
merged 3 commits into from
Aug 7, 2023
Merged

fix: Added vulnerability fixes for gorestlful gopkg & OS vulnerabilities in golang:1.20-alpine3.16 #11538

merged 3 commits into from
Aug 7, 2023

Conversation

Jonsy13
Copy link
Contributor

@Jonsy13 Jonsy13 commented Aug 7, 2023
edited
Loading

Motivation

We at LitmusChaos are using Argo-Workflows for orchestrating Chaos Experiments. We want to upgrade to latest version of Argo-Workflows & currently it's v3.4.9. On scanning via Twistlock, we found some vulnerabilities due to an old version of go - go1.20.4 & one due to an older version of go package - https://github.com/emicklei/go-restful/v3.

On checking, found that Dockerfile is using golang:1.20-alpine3.16, which is using go1.20.4. There are some vulnerabilities which were fixed in latest version i.e. 1.20.5. Looks like golang:1.20-alpine3.16 is not getting build with latest version of go anymore.

+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |              PACKAGE              | VERSION |          STATUS          | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-29405   | critical | 9.80 | go                                | 1.20.4  | fixed in 1.20.5, 1.19.10 | 59 days    | < 1 hour   | The go command may execute arbitrary code at build |
|                  |          |      |                                   |         | 51 days ago              |            |            | time when using cgo. This may occur when running   |
|                  |          |      |                                   |         |                          |            |            | \"go get\" on a malicious module, or when running  |
|                  |          |      |                                   |         |                          |            |            | ...                                                |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-29404   | critical | 9.80 | go                                | 1.20.4  | fixed in 1.20.5, 1.19.10 | 59 days    | < 1 hour   | The go command may execute arbitrary code at build |
|                  |          |      |                                   |         | 51 days ago              |            |            | time when using cgo. This may occur when running   |
|                  |          |      |                                   |         |                          |            |            | \"go get\" on a malicious module, or when running  |
|                  |          |      |                                   |         |                          |            |            | ...                                                |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-29402   | critical | 9.80 | go                                | 1.20.4  | fixed in 1.20.5, 1.19.10 | 59 days    | < 1 hour   | The go command may generate unexpected code at     |
|                  |          |      |                                   |         | 51 days ago              |            |            | build time when using cgo. This may result in      |
|                  |          |      |                                   |         |                          |            |            | unexpected behavior when running a go program      |
|                  |          |      |                                   |         |                          |            |            | which uses ...                                     |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-29403   | high     | 7.80 | go                                | 1.20.4  | fixed in 1.20.5, 1.19.10 | 59 days    | < 1 hour   | On Unix platforms, the Go runtime does not         |
|                  |          |      |                                   |         | 52 days ago              |            |            | behave differently when a binary is run with       |
|                  |          |      |                                   |         |                          |            |            | the setuid/setgid bits. This can be dangerous in   |
|                  |          |      |                                   |         |                          |            |            | certain cases...                                   |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2022-0227 | high     | 7.50 | github.com/emicklei/go-restful/v3 | v3.8.0  | fixed in v3.10.0         | > 1 years  | < 1 hour   | github.com/emicklei/go-restful/v3 module prior     |
|                  |          |      |                                   |         | > 9 months ago           |            |            | to v3.10.0 is vulnerable to Authentication Bypass  |
|                  |          |      |                                   |         |                          |            |            | by Primary Weakness. There is an inconsistency in  |
|                  |          |      |                                   |         |                          |            |            | how...                                             |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-2253    | high     | 7.00 | github.com/docker/distribution    | v2.8.1  | fixed in 2.8.2-beta.1    | 61 days    | < 1 hour   | A flaw was found in the `/v2/_catalog` endpoint    |
|                  |          |      |                                   |         | 87 days ago              |            |            | in distribution/distribution, which accepts a      |
|                  |          |      |                                   |         |                          |            |            | parameter to control the maximum number of records |
|                  |          |      |                                   |         |                          |            |            | retur...                                           |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-29406   | medium   | 6.50 | go                                | 1.20.4  | fixed in 1.20.6, 1.19.11 | 26 days    | < 1 hour   | The HTTP/1 client does not fully validate the      |
|                  |          |      |                                   |         | 18 days ago              |            |            | contents of the Host header. A maliciously crafted |
|                  |          |      |                                   |         |                          |            |            | Host header can inject additional headers or       |
|                  |          |      |                                   |         |                          |            |            | entire r...                                        |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus        | v1.9.2  | fixed in v1.9.3          | > 3 months | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                   |         | > 5 months ago           |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                   |         |                          |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                   |         |                          |            |            | without new...                                     |
+------------------+----------+------+-----------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+

Modifications

I have updated Base Image in Dockerfile to golang:1.20-alpine3.18 (This is having latest version of go i.e. 1.20.5).
Also updated version of https://github.com/emicklei/go-restful/v3 to v3.10.0.

Verification

@Jonsy13 Jonsy13 changed the title Added vulnerability fixes for gorestlful gopkg & OS vulnerabilities in golang:1.20-alpine3.16 fix: Added vulnerability fixes for gorestlful gopkg & OS vulnerabilities in golang:1.20-alpine3.16 Aug 7, 2023
gdsoumya
gdsoumya approved these changes Aug 7, 2023
View reviewed changes
Copy link
Member

@gdsoumya gdsoumya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@terrytangyuan terrytangyuan enabled auto-merge (squash) August 7, 2023 11:18
@toyamagu-2021
Copy link
Member

toyamagu-2021 commented Aug 7, 2023
edited
Loading

Hi, your tests fail because it reaches 25 min time limit.
The limit will be raised to 30 min after #11535 merged.

@terrytangyuan terrytangyuan merged commit b2e2106 into argoproj:master Aug 7, 2023
@terrytangyuan terrytangyuan mentioned this pull request Aug 9, 2023
Closed
45 tasks
@Jonsy13 Jonsy13 mentioned this pull request Aug 10, 2023
Merged
terrytangyuan pushed a commit that referenced this pull request Aug 11, 2023
@Jonsy13 @terrytangyuan
fix: Added vulnerability fixes for gorestlful gopkg & OS vulnerabilit…
bbc2f97 
…ies in golang:1.20-alpine3.16 (#11538)
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this pull request May 9, 2024
@Jonsy13 @dpadhiar
fix: Added vulnerability fixes for gorestlful gopkg & OS vulnerabilit…
89fa8a0 
…ies in golang:1.20-alpine3.16 (argoproj#11538)

Signed-off-by: Dillen Padhiar <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

@gdsoumya gdsoumya gdsoumya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Jonsy13 @toyamagu-2021 @terrytangyuan @gdsoumya