-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1333232 High Severity DoS CVE in introduced - github.com/hambra/avro #1101
Comments
hi and thank you for drawing attention to this issue and also for the PR ! can we please wait for Arrow v16 to be available? also the linked Snyk issue leads to CVE-2023-37475, which per NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2023-37475 is fixed in github.com/hambra/avro 2.13.0 and up. Apache Arrow v15 depends on hamba/avro v.2.17.2 which per the above NVD is not vulnerable. Is this the right CVE number ? |
@sfc-gh-dszmolka We can wait if you're more comfortable with an official release This commit fixed the DoS which was released in hamba/avro v2.19.0. |
Good catch though; I brought this up with the Snyk team as a potential false positive. Will report back here |
Thanks for the additional details, indeed Arrow seems to have bumped the hamba/avro to past 2.19 (2.20.1) in the latest (yet unreleased) code. Of course the team will review your PR but from what I saw we usually prefer depending on official released code. Good to have this on the table though, so really appreciate ! |
@ChronosMasterOfAllTime Arrow v16 looks to be released now, can you please modify your PR to have the official released v16.0.0 ? |
thank you for modifying it to v16; let's await for the PR review. |
A quick update: we cannot just simply merge the PR. Reason being (as you might have noticed from the tests) , all tests are for this PR failing for go1.19 as Arrow v16 would need go1.20 at least. Until Snowflake drops support for go1.19, we cannot merge this PR or else it would break the driver for everyone on go1.19 currently. Likely we would also require a new major version released from the driver. So we must take appropriate care. This is to set expectations why this 'simple' Arrow version bump won't be very very quickly merged. Also on the side note, the question is still open: can you perhaps please advise what is the actual 'High Severity DoS CVE' / vulnerability which is there in Arrow v15.0.2 and supposed to be addressed in Arrow v16 ? It is likely not the one linked to this issue originally:
because it is addressed in avro 2.13 and arrow v15 on which we are already depends on avro 2.17 which is not vulnerable to this CVE. |
We reached out to Snyk support on this as well. Turns out the DB was never updated for this entry. We can table this for now. |
Thank you for following up with Snyk and the feedback - as there's no vulnerability, closing the issue for now. The bump to Arrow v16 will still happen though, eventually. |
As a followup, separately from the CVE concern, which is already resolved for months. Arrow is now bumped to v16, and will be released with November 2024 releas cycle of the gosnowflake driver. Thank you for the contribution! |
Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!
What version of GO driver are you using? 1.9
What operating system and processor architecture are you using? MacOS x86_64
What version of GO are you using? 1.22
run
go version
in your console4.Server version: N/A
Upgraded to v1.9 of the Snowflake driver. Apache Arrow v15.0.0 is using a version of the
github.com/hambra/avro
that introduces a DoS exploit. This is fixed in the latest version of Apache ArrowSee Snyk issue
Fixed in v16.0.0 of Apache Arrow go.mod
What did you expect to see?
No High CVE exploits
Can you set logging to DEBUG and collect the logs?
https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors
What is your Snowflake account identifier, if any? databots
The text was updated successfully, but these errors were encountered: