packeto buildpacks vulnerable to CVE-2024-34156 (encoding/gob: stack exhaustion in Decoder.Decode) due to go 1.22.6

[candrews]

I noticed that many Paketo Buildpacks projects use go 1.22.6 which is susceptible to CVE-2024-34156: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This raises two questions:

1. Is this vulnerability exploitable for Paketo Buildpacks?
   I don't believe it's exploitable, but an statement/assessment from Paketo would be helpful.
2. When will the buildpacks to be updated to go 1.22.7 (or later) eliminating this vulnerability?

Thank you!

Trivy can be used to see this vulnerability being reported:

$ docker run -it aquasec/trivy:0.55.0 image gcr.io/paketo-buildpacks/ca-certificates:3.8.5@sha256:3cedb07e17a61a9768b7e842efd4fed03a7eb38ef35587cbe59b6e57dfc2f13e
Resolved "aquasec/trivy" as an alias (/home/candrews/.cache/containers/short-name-aliases.conf)
Trying to pull docker.io/aquasec/trivy:0.55.0...
Getting image source signatures
Copying blob 569a30c23d8b done   | 
Copying blob 89ab584520fc done   | 
Copying blob d25f557d7f31 skipped: already exists  
Copying blob fe169f4ad5bf done   | 
Copying config a8a87bd084 done   | 
Writing manifest to image destination
2024-09-09T13:55:30Z	INFO	[db] Need to update DB
2024-09-09T13:55:30Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
52.98 MiB / 52.98 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10.00 MiB p/s 5.5s
2024-09-09T13:55:36Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-09T13:55:36Z	INFO	[secret] Secret scanning is enabled
2024-09-09T13:55:36Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-09T13:55:36Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-09T13:55:38Z	INFO	Number of language-specific files	num=2
2024-09-09T13:55:38Z	INFO	[gobinary] Detecting vulnerabilities...
2024-09-09T13:55:38Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.

cnb/buildpacks/paketo-buildpacks_ca-certificates/3.8.5/bin/helper (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.6            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

cnb/buildpacks/paketo-buildpacks_ca-certificates/3.8.5/bin/main (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.6            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

[hariharancs07]

@candrews
Is this vulnerability exploitable for Paketo Buildpacks?
I don't believe it's exploitable, but an statement/assessment from Paketo would be helpful.

• I could also see this issue common across various tools, i tried this fix -> https://security.snyk.io/vuln/SNYK-ALPINE320-GO-7923878 but its still the same.

When will the buildpacks to be updated to go 1.22.7 (or later) eliminating this vulnerability?

• i came across various tools has this issue raised with go.

[candrews]

@dmikusa you previously worked on a go issue I reported, could you please take a look at this one?

[dmikusa]

I haven't had a chance to look and see if we're actually calling any of the packages listed there, but even if we are using them the impact is going to be minimal. The only input coming to the helper binaries is what you pass in via env variables or bindings. Thus for someone to take advantage of this, they'd need to be able to set env variables or bindings that get passed to your applications. Even then, the worst that would happen is they'd trigger this and your app would fail to start (the go helper binaries run before your app so if they crash your app won't start).

Our system automatically updates and pulls the latest patch releases of Go when we build, so the next time we build and publish images this will be resolved. I don't know the timing on that because it depends on the different teams to all update.

[dmikusa]

@anthonydahanne cut a release of the composite Java Buildpacks last night. Thanks for working through the pipeline issues!! 🙌

This should include new releases of all the composite Buildpacks which were build with the latest Go version.

tl;dr this should clear up the latest list of Go CVEs being reported against the Java Buildpacks.

Please let me know if you're still seeing any after updating. Thanks!

[anthonydahanne]

yes, most, if not all, latest buildpacks should be built with Go 1.23

[dmikusa]

I was looking at some of the images I build regularly and I am seeing the following. The second one is definitely CNB. I'm not sure about the first one cause no binary is listed, but suspect it's related to lifecycle. I poked that team and asked if they were planning a lifecycle release soon. That will depend on upstream to cut a lifecycle release. FYI.

=============================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


 (gobinary)
===========
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-341   │ HIGH     │ fixed  │ 1.22.6            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

cnb/lifecycle/launcher (gobinary)
=================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.6            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘