Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application Dependency Vulnerabilities #3

Open
2 of 9 tasks
slcardinal opened this issue Nov 28, 2023 · 2 comments
Open
2 of 9 tasks

Application Dependency Vulnerabilities #3

slcardinal opened this issue Nov 28, 2023 · 2 comments

Comments

@slcardinal
Copy link

Stratos Version

Version: 4.4.0

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

Address Critical applicaiton dependency vulnerabilities.

I am not a developer, I just support the Stratos UI that is used with our internal deployment of Cloud Foundry. We have clone of this repository in our Enterprise Version of GitHub and our security team has enabled Dependabot to help with vulnerabilities. Due to these critical vulnerabilities, we have been asked to stop using this UI as part of our Cloud Foundry deployment. We would like to continue to use Stratos, as our internal customers prefer Stratos to the home grown Cloud Foundry UI that was developed. Would someone in the community be willing to have a look at remeidating the application dependencies in the Stratos UI?

Actual behaviour

Need to have Dependabot recommendations resolved.

Steps to reproduce the behavior

Turn on dependabot recommendations for the community repostiory for Stratos.

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

Context

Possible Implementation
@norman-abramovitz
Copy link
Contributor

Stratus being updated will done over the next couple of months.

@liquid-matra
Copy link

Update for Version 4.8.0

Frontend

most of these vulnerabilities can be auto-fixed

24 vulnerabilities (1 low, 7 moderate, 16 high)

details

body-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - GHSA-qwcr-r2fm-qrc7
fix available via npm audit fix
node_modules/body-parser
node_modules/express/node_modules/body-parser
express <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/express

braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg
fix available via npm audit fix
node_modules/braces

es5-ext 0.10.1 - 0.10.62
es5-ext vulnerable to Regular Expression Denial of Service in function#copy and function#toStringTokens - GHSA-4gmj-3p3h-gm8h
fix available via npm audit fix
node_modules/es5-ext

follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - GHSA-cxjh-pqwp-8mfp
fix available via npm audit fix
node_modules/follow-redirects

ip *
Severity: high
NPM IP package incorrectly identifies some private IP addresses as public - GHSA-78xj-cgh5-2h22
ip SSRF improper categorization in isPublic - GHSA-2p57-rm9w-gvfp
fix available via npm audit fix
node_modules/ip

micromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - GHSA-952p-6rrq-rcjv
fix available via npm audit fix
node_modules/micromatch

path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via npm audit fix
node_modules/path-to-regexp

rollup <3.29.5
Severity: high
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - GHSA-gcx4-mw62-g8wm
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/rollup
@rollup/plugin-json <=4.1.0
Depends on vulnerable versions of @rollup/pluginutils
Depends on vulnerable versions of rollup
node_modules/@rollup/plugin-json
ng-packagr <=15.0.1
Depends on vulnerable versions of @rollup/plugin-json
Depends on vulnerable versions of @rollup/plugin-node-resolve
Depends on vulnerable versions of rollup
Depends on vulnerable versions of rollup-plugin-sourcemaps
node_modules/ng-packagr
@angular-devkit/build-angular <=16.2.14 || 17.0.0-next.0 - 17.3.8 || 18.0.0-next.0 - 18.2.1 || 19.0.0-next.0 - 19.0.0-next.1
Depends on vulnerable versions of ng-packagr
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-middleware
node_modules/@angular-devkit/build-angular
@angular-builders/custom-webpack 11.1.2-beta.0 - 15.0.0
Depends on vulnerable versions of @angular-devkit/build-angular
node_modules/@angular-builders/custom-webpack
@rollup/plugin-node-resolve <=14.1.0
Depends on vulnerable versions of @rollup/pluginutils
Depends on vulnerable versions of rollup
node_modules/@rollup/plugin-node-resolve
@rollup/pluginutils <=4.1.0
Depends on vulnerable versions of rollup
node_modules/@rollup/pluginutils
rollup-plugin-sourcemaps >=0.5.0
Depends on vulnerable versions of @rollup/pluginutils
node_modules/rollup-plugin-sourcemaps

send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - GHSA-m6fv-jmcg-4jfg
fix available via npm audit fix
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static

tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - GHSA-f5x3-32g6-xq36
fix available via npm audit fix
node_modules/tar

webpack 5.0.0-alpha.0 - 5.93.0
Severity: moderate
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - GHSA-4vvj-4cpr-p986
fix available via npm audit fix --force
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/webpack
node_modules/webpack

webpack-dev-middleware <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - GHSA-wr3j-pwj9-hqq6
fix available via npm audit fix --force
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/webpack-dev-middleware

ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - GHSA-3h5v-q93c-6h6q
fix available via npm audit fix
node_modules/ws
engine.io 0.7.8 - 0.7.9 || 6.0.0 - 6.5.4
Depends on vulnerable versions of ws
node_modules/engine.io
socket.io-adapter 2.5.2 - 2.5.4
Depends on vulnerable versions of ws
node_modules/socket.io-adapter

backend

In addition to the following findings, the go version itself v1.21 is unsupported now (latest: v1.23)

Vulnerability #1: GO-2024-3106
Stack exhaustion in Decoder.Decode in encoding/gob
More info: https://pkg.go.dev/vuln/GO-2024-3106
Standard library
Found in: encoding/[email protected]
Fixed in: encoding/[email protected]
Example traces found:
#1: session.go:73:30: jetstream.portalProxy.GetSession calls pgstore.PGStore.Get, which eventually calls gob.Decoder.Decode

Vulnerability #2: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Example traces found:
#1: main.go:347:58: jetstream.main calls http2.ConnectionError.Error
#2: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.ErrCode.String
#3: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
#4: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.FrameType.String
#5: main.go:347:58: jetstream.main calls http2.GoAwayError.Error
#6: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.Setting.String
#7: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.SettingID.String
#8: main.go:347:58: jetstream.main calls http2.StreamError.Error
#9: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http.http2transportResponseBody.Close, which eventually calls http2.chunkWriter.Write
#10: main.go:347:58: jetstream.main calls http2.connError.Error
#11: main.go:347:58: jetstream.main calls http2.duplicatePseudoHeaderError.Error
#12: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http2.gzipReader.Close
#13: plugins/userinvite/invite.go:260:29: userinvite.UserInvite.UAAUserInvite calls ioutil.ReadAll, which eventually calls http2.gzipReader.Read
#14: main.go:347:58: jetstream.main calls http2.headerFieldNameError.Error
#15: main.go:347:58: jetstream.main calls http2.headerFieldValueError.Error
#16: main.go:347:58: jetstream.main calls http2.pseudoHeaderError.Error
#17: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http.http2transportResponseBody.Close, which eventually calls http2.stickyErrWriter.Write
#18: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http2.transportResponseBody.Close
#19: plugins/userinvite/invite.go:260:29: userinvite.UserInvite.UAAUserInvite calls ioutil.ReadAll, which eventually calls http2.transportResponseBody.Read
#20: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.writeData.String

Vulnerability #3: GO-2024-2611
Infinite loop in JSON unmarshaling in google.golang.org/protobuf
More info: https://pkg.go.dev/vuln/GO-2024-2611
Module: google.golang.org/protobuf
Found in: google.golang.org/[email protected]
Fixed in: google.golang.org/[email protected]
Example traces found:
#1: plugins/cloudfoundry/cf_websocket_streams.go:144:42: cloudfoundry.relayRecentLogsFromCache calls log.Client.Read, which eventually calls json.Decoder.Peek
#2: plugins/cloudfoundry/cf_websocket_streams.go:144:42: cloudfoundry.relayRecentLogsFromCache calls log.Client.Read, which eventually calls json.Decoder.Read
#3: plugins/cloudfoundry/cf_websocket_streams.go:144:42: cloudfoundry.relayRecentLogsFromCache calls log.Client.Read, which eventually calls protojson.UnmarshalOptions.Unmarshal

Your code is affected by 3 vulnerabilities from 2 modules and the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@norman-abramovitz @liquid-matra @slcardinal