uber
Go Crypto dependency has CVE-2020-29652
Version of Cadence server, and client(which language) This is very important to root cause bugs.
- Server version: 0.23.2
- Client version: N/A
- Client langauge: N/A
Describe the bug https://nvd.nist.gov/vuln/detail/CVE-2020-29652: "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers." It doesn't look like Cadence has a direct dependency on that package, but several different versions are included, all of those vulnerable: https://github.com/uber/cadence/blob/028c444/go.sum#L509-L518
That said I don't think this is directly exploitable. So fixing this is just more for defense-in-depth and to have our automated vulnerability scanner happy.
To Reproduce Is the issue reproducible?
- Yes
Steps to reproduce the behavior: We used the Twistlock vulnerability scanner on the server docker image. Evidence that the vulnerable versions are used are here: https://github.com/uber/cadence/blob/028c444/go.sum#L509-L518.
Expected behavior
I think to verify that this is fixed, we can just look for golang.org/x/crypto in go.sum, and verify that the version is v0.0.0-20201203163018 or above.
I'm happy to help this move forward! However I don't have enough experience with go modules. What's the way to inspect the dependency chain to find where we're pulling in the different versions?
is this why my import gone red today? I couldn't find the library, and it was in my local repro yesterday. forgot to mention that redownloading worked fine.
