-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: suggestion regarding GO-2024-2527 #2952
Comments
Insecure cipher suite is indeed allowed in etcd client pkg. Pls refer to client/pkg/tlsutil/cipher_suites.go#L30-L34. Users can configure it using the flag So the GO-2024-2527 is still valid, but I think the severity is low, so no any action is required. Also Note that TLS 1.3 ciphersuites are not configurable. |
Incorrect assessment of the published security errata - Indicates that it's already addressed in specific versions (refer screenshot); also, Whoever updated the Go vulnerability must revert it. Otherwise, we need to stop using this tool altogether, as it's no longer reliable. |
We need to update github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp.
Not sure whether the github.com/advisories/GHSA-5x4g-q5rc-36jp will be automatically updated after we update the |
Thank you for the report. We will look into this. |
So, how to handle this vuln rn? |
Change https://go.dev/cl/595995 mentions this issue: |
This report is a low impact vulnerability that is causing too many false positives. Withdraw it for now to mitigate impact. Updates #2527 Updates #2952 Change-Id: Iffad648eecbbda67e49a962592a33df9232f5fbb Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595995 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thank you all for reporting this issue. The report has been withdrawn and should be live in 10-15 minutes. |
Thanks. We are going to update the security advisory per option 2 mentioned in https://docs.google.com/document/d/1Pl2e8YTtgt3pYeIZSXJIn4gknp6tTW14htMat1JaM4k/edit#heading=h.keepbsj3ympp |
To give some insight into why this report was published: we are experimenting with expanding the Go vulnerability database's scope to include vulnerabilities that primarily affect Go binaries as well as libraries. To support this increased scope, we need to automatically generate more reports. In this case, our automation saw two patched versions - v3.4.10 and v3.3.23 - in github.com/advisories/GHSA-5x4g-q5rc-36jp but these patched versions do not exist in go.etcd.io/etcd/client/pkg/v3 according to the Go module proxy (https://pkg.go.dev/go.etcd.io/etcd/client/pkg/v3?tab=versions). We thus conservatively reported all versions as being affected. @ahrtr if you would like us to un-withdraw the report with updated version info in the future, we are happy to. |
Ideally we should mark the CVE being resolved in 3.4.22, and 3.5.0 and onwards aren't affected at all. But it's also OK to withdraw the report. We are good as long as we can remove the security noise (false positives). |
The reason is etcd release-3.4 and release-3.5/main have big difference regarding code structure. The |
FYI. we just updated the security advisory below. Thanks all! |
@ahrtr We (vulndb) need to decide if we are going to keep this withdrawn going forward. It would be helpful to confirm the history of how etcd evolved for us to decide this. From Go's perspective there are 4 relevant modules:
From what I can tell:
First, is all of the above history correct? Assuming it is, here are the three options vulndb is deciding between:
Do you have any opinions about options 2 and 3, or a strong preference amongst these? I am currently leaning towards pursuing Option 3 at the moment. The chances of false positives with a date range seem low to me. If this shows itself to be problematic, there is an option of withdrawing again (after some user annoyance that we want to avoid). I get that this is mostly a “vulndb problem”, but I am hoping to get some feedback from etcd before we un-withdraw the vulnerability for a more accurate report. |
@timothy-king I appreciate the detailed analysis!
Yes, correct.
Either option 1 or 3 works for me. We are good as long as we can clear the false positive. Honestly, we (etcd) simply inappropriately defined a global variable cipherSuites in etcd v3.4.21 and older versions, but I don't think we (etcd) should raise the security advisory GHSA-5x4g-q5rc-36jp in the first place because the behaviour has never changed from user perspective (refer to doc),
|
Change https://go.dev/cl/597355 mentions this issue: |
Report ID
GO-2024-2527
Suggestion/Comment
etcd advisory - GHSA-5x4g-q5rc-36jp
etcd 3.5.x series was never affected by this vulnerability as 3.5.0 was released about a year after the 3.4.x branch was fixed. So the following error message is wrong (
Fixed in: N/A
)3.5.0 release tag info - https://github.com/etcd-io/etcd/tree/v3.5.0
3.4.10 release tag info - https://github.com/etcd-io/etcd/tree/v3.4.10
The text was updated successfully, but these errors were encountered: