Severity
Medium (Moderate + Likely)1
Affected versions:
- wasmvm >= 2.1.0, < 2.1.3
- wasmvm >= 2.0.0, < 2.0.4
- wasmvm < 1.5.5
- cosmwasm-vm >= 2.1.0, < 2.1.4
- cosmwasm-vm >= 2.0.0, < 2.0.7
- cosmwasm-vm < 1.5.8
Patched versions:
- wasmvm 1.5.5, 2.0.4, 2.1.3
- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
- 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
- 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
- 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
- Check the current wasmvm version:
go list -m github.com/CosmWasm/wasmvm
- Bump the
github.com/CosmWasm/wasmvm
dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are;go mod tidy
; commit. - If you use the static libraries
libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, update them accordingly. - Check the updated wasmvm version:
go list -m github.com/CosmWasm/wasmvm
and ensure you see 1.5.5, 2.0.4, 2.1.3. - Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version
. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinated upgrade.
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
- 2024-08-28: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
- 2024-08-30: Confio security contributors confirm the report.
- 2024-09-02: Confio developed the patch internally.
- 2024-09-23: Patch is released.
Footnotes
-
following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md ↩