Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical vulnerability CVE-2024-24790 in go stdlib #13327

Closed
bpfoster opened this issue Jun 26, 2024 · 4 comments
Closed

Critical vulnerability CVE-2024-24790 in go stdlib #13327

bpfoster opened this issue Jun 26, 2024 · 4 comments

Comments

@bpfoster
Copy link

Loki 3.0.0

CVE-2024-24790 has been published against the go stdlib net/netip.

https://pkg.go.dev/vuln/GO-2024-2887

Resolved in go 1.21.11 or 1.22.4. Loki 3.0.0 showing as built with a vulnerable go 1.21.9

@JohnFrampton
Copy link

We would very much appreciate the fix :-)

@bpfoster
Copy link
Author

bpfoster commented Jul 3, 2024

Vulnerability still present in just released Loki 3.1.0

$ ./loki-linux-amd64 --version
loki, version 3.1.0 (branch: k207, revision: 935aee77)
  build user:       root@de8d403f3caa
  build date:       2024-07-02T10:19:43Z
  go version:       go1.22.2
  platform:         linux/amd64
  tags:             netgo

$ govulncheck -mode binary loki-linux-amd64
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.22.2
    Fixed in: net/http@go1.22.5
    Vulnerable symbols found:
      #1: http.Client.CloseIdleConnections
      #2: http.Client.Do
      #3: http.Client.Get
      #4: http.Client.Head
      #5: http.Client.Post
      #6: http.Client.PostForm
      #7: http.Get
      #8: http.Head
      #9: http.Post
      #10: http.PostForm
      #11: http.Transport.CancelRequest
      #12: http.Transport.CloseIdleConnections
      #13: http.Transport.RoundTrip

Vulnerability #2: GO-2024-2918
    Azure Identity Libraries Elevation of Privilege Vulnerability in
    github.com/Azure/azure-sdk-for-go/sdk/azidentity
  More info: https://pkg.go.dev/vuln/GO-2024-2918
  Module: github.com/Azure/azure-sdk-for-go/sdk/azidentity
    Found in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.5.1
    Fixed in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0
    Vulnerable symbols found:
      #1: azidentity.AzurePipelinesCredential.GetToken
      #2: azidentity.ChainedTokenCredential.GetToken
      #3: azidentity.ClientAssertionCredential.GetToken
      #4: azidentity.ClientCertificateCredential.GetToken
      #5: azidentity.ClientSecretCredential.GetToken
      #6: azidentity.DefaultAzureCredential.GetToken
      #7: azidentity.EnvironmentCredential.GetToken
      #8: azidentity.ManagedIdentityCredential.GetToken
      #9: azidentity.NewDefaultAzureCredential
      #10: azidentity.NewManagedIdentityCredential
      #11: azidentity.OnBehalfOfCredential.GetToken
      #12: azidentity.WorkloadIdentityCredential.GetToken
      #13: azidentity.confidentialClient.GetToken

Vulnerability #3: GO-2024-2888
    Mishandling of corrupt central directory record in archive/zip
  More info: https://pkg.go.dev/vuln/GO-2024-2888
  Standard library
    Found in: archive/zip@go1.22.2
    Fixed in: archive/zip@go1.22.4
    Vulnerable symbols found:
      #1: zip.NewReader
      #2: zip.OpenReader

Vulnerability #4: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/netip@go1.22.2
    Fixed in: net/netip@go1.22.4
    Vulnerable symbols found:
      #1: netip.Addr.IsGlobalUnicast
      #2: netip.Addr.IsInterfaceLocalMulticast
      #3: netip.Addr.IsLinkLocalMulticast
      #4: netip.Addr.IsLoopback
      #5: netip.Addr.IsMulticast
      #6: netip.Addr.IsPrivate

Vulnerability #5: GO-2024-2824
    Malformed DNS message can cause infinite loop in net
  More info: https://pkg.go.dev/vuln/GO-2024-2824
  Standard library
    Found in: net@go1.22.2
    Fixed in: net@go1.22.3
    Vulnerable symbols found:
      #1: net.Dial
      #2: net.DialTimeout
      #3: net.Dialer.Dial
      #4: net.Dialer.DialContext
      #5: net.Listen
      #6: net.ListenConfig.Listen
      #7: net.ListenConfig.ListenPacket
      #8: net.ListenPacket
      #9: net.LookupAddr
      #10: net.LookupCNAME
      #11: net.LookupHost
      #12: net.LookupIP
      #13: net.LookupMX
      #14: net.LookupNS
      #15: net.LookupSRV
      #16: net.LookupTXT
      #17: net.ResolveIPAddr
      #18: net.ResolveTCPAddr
      #19: net.ResolveUDPAddr
      #20: net.Resolver.LookupAddr
      #21: net.Resolver.LookupCNAME
      #22: net.Resolver.LookupHost
      #23: net.Resolver.LookupIP
      #24: net.Resolver.LookupIPAddr
      #25: net.Resolver.LookupMX
      #26: net.Resolver.LookupNS
      #27: net.Resolver.LookupNetIP
      #28: net.Resolver.LookupSRV
      #29: net.Resolver.LookupTXT

Vulnerability #6: GO-2022-0646
    Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.50.32
    Fixed in: N/A
    Vulnerable symbols found:
      #1: s3crypto.NewDecryptionClient
      #2: s3crypto.NewEncryptionClient

Your code is affected by 6 vulnerabilities from 2 modules and the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require

@reedog117
Copy link

This CVE is also still present in recently released 2.9.9

@bpfoster
Copy link
Author

bpfoster commented Sep 4, 2024

Looks like these issues are not reviewed... appears this closed in Loki versions 3.0.1 and 3.1.1

#13833
#13789

@bpfoster bpfoster closed this as completed Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants