Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1333232 High Severity DoS CVE in introduced - github.com/hambra/avro #1101

Closed
ChronosMasterOfAllTime opened this issue Apr 17, 2024 · 10 comments · Fixed by #1102
Closed
Assignees
Labels
invalid status-triage_done Initial triage done, will be further handled by the driver team

Comments

@ChronosMasterOfAllTime
Copy link
Contributor

ChronosMasterOfAllTime commented Apr 17, 2024

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

  1. What version of GO driver are you using? 1.9

  2. What operating system and processor architecture are you using? MacOS x86_64

  3. What version of GO are you using? 1.22
    run go version in your console

4.Server version: N/A

  1. What did you do?

Upgraded to v1.9 of the Snowflake driver. Apache Arrow v15.0.0 is using a version of the github.com/hambra/avro that introduces a DoS exploit. This is fixed in the latest version of Apache Arrow

See Snyk issue

Fixed in v16.0.0 of Apache Arrow go.mod

  1. What did you expect to see?

    No High CVE exploits

  2. Can you set logging to DEBUG and collect the logs?

    https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors

  3. What is your Snowflake account identifier, if any? databots

@ChronosMasterOfAllTime ChronosMasterOfAllTime added the bug Erroneous or unexpected behaviour label Apr 17, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Apr 17, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage_done Initial triage done, will be further handled by the driver team label Apr 17, 2024
@sfc-gh-dszmolka
Copy link
Contributor

sfc-gh-dszmolka commented Apr 17, 2024

hi and thank you for drawing attention to this issue and also for the PR ! can we please wait for Arrow v16 to be available?

also the linked Snyk issue leads to CVE-2023-37475, which per NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2023-37475 is fixed in github.com/hambra/avro 2.13.0 and up.

Apache Arrow v15 depends on hamba/avro v.2.17.2 which per the above NVD is not vulnerable.

Is this the right CVE number ?

@sfc-gh-dszmolka sfc-gh-dszmolka added status-information_needed Additional information is required from the reporter and removed bug Erroneous or unexpected behaviour labels Apr 17, 2024
@ChronosMasterOfAllTime
Copy link
Contributor Author

ChronosMasterOfAllTime commented Apr 17, 2024

@sfc-gh-dszmolka We can wait if you're more comfortable with an official release

This commit fixed the DoS which was released in hamba/avro v2.19.0.

From Snyk
image

@ChronosMasterOfAllTime
Copy link
Contributor Author

Good catch though; I brought this up with the Snyk team as a potential false positive. Will report back here

@sfc-gh-dszmolka
Copy link
Contributor

Thanks for the additional details, indeed Arrow seems to have bumped the hamba/avro to past 2.19 (2.20.1) in the latest (yet unreleased) code.

Of course the team will review your PR but from what I saw we usually prefer depending on official released code. Good to have this on the table though, so really appreciate !

@sfc-gh-dszmolka sfc-gh-dszmolka removed the status-information_needed Additional information is required from the reporter label Apr 17, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka changed the title High Severity DoS CVE introduced High Severity DoS CVE in introduced - github.com/hambra/avro Apr 17, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka changed the title High Severity DoS CVE in introduced - github.com/hambra/avro SNOW-1333232 High Severity DoS CVE in introduced - github.com/hambra/avro Apr 17, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka removed their assignment Apr 19, 2024
@sfc-gh-dszmolka
Copy link
Contributor

@ChronosMasterOfAllTime Arrow v16 looks to be released now, can you please modify your PR to have the official released v16.0.0 ?

@sfc-gh-dszmolka
Copy link
Contributor

thank you for modifying it to v16; let's await for the PR review.

@sfc-gh-dszmolka sfc-gh-dszmolka added the status-pr_pending_merge A PR is made and is under review label Apr 22, 2024
@sfc-gh-dszmolka
Copy link
Contributor

A quick update: we cannot just simply merge the PR. Reason being (as you might have noticed from the tests) , all tests are for this PR failing for go1.19 as Arrow v16 would need go1.20 at least.

Until Snowflake drops support for go1.19, we cannot merge this PR or else it would break the driver for everyone on go1.19 currently. Likely we would also require a new major version released from the driver.

So we must take appropriate care.

This is to set expectations why this 'simple' Arrow version bump won't be very very quickly merged.

Also on the side note, the question is still open: can you perhaps please advise what is the actual 'High Severity DoS CVE' / vulnerability which is there in Arrow v15.0.2 and supposed to be addressed in Arrow v16 ?

It is likely not the one linked to this issue originally:

because it is addressed in avro 2.13 and arrow v15 on which we are already depends on avro 2.17 which is not vulnerable to this CVE.
Clarification is really appreciated !

@sfc-gh-dszmolka sfc-gh-dszmolka added the status-blocked Progressing the issue is blocked by something, probably dependencies. label Apr 23, 2024
@ChronosMasterOfAllTime
Copy link
Contributor Author

We reached out to Snyk support on this as well. Turns out the DB was never updated for this entry. We can table this for now.

@sfc-gh-dszmolka
Copy link
Contributor

Thank you for following up with Snyk and the feedback - as there's no vulnerability, closing the issue for now. The bump to Arrow v16 will still happen though, eventually.

@sfc-gh-dszmolka sfc-gh-dszmolka added invalid and removed status-pr_pending_merge A PR is made and is under review status-blocked Progressing the issue is blocked by something, probably dependencies. labels Apr 23, 2024
@sfc-gh-dszmolka
Copy link
Contributor

As a followup, separately from the CVE concern, which is already resolved for months.

Arrow is now bumped to v16, and will be released with November 2024 releas cycle of the gosnowflake driver. Thank you for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
invalid status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants