x/vulndb: suggestion regarding GO-2024-2527

[dims]

Report ID

GO-2024-2527

Suggestion/Comment

etcd advisory - GHSA-5x4g-q5rc-36jp

etcd 3.5.x series was never affected by this vulnerability as 3.5.0 was released about a year after the 3.4.x branch was fixed. So the following error message is wrong ( Fixed in: N/A )

3.5.0 release tag info - https://github.com/etcd-io/etcd/tree/v3.5.0
3.4.10 release tag info - https://github.com/etcd-io/etcd/tree/v3.4.10

Vulnerability #1: GO-2024-2527
    Etcd pkg Insecure ciphers are allowed by default in
    go.etcd.io/etcd/client/pkg/v3
  More info: https://pkg.go.dev/vuln/GO-2024-2527
  Module: go.etcd.io/etcd/client/pkg/v3
    Found in: go.etcd.io/etcd/client/pkg/v3@v3.5.13
    Fixed in: N/A
    Example traces found:
Error:       #1: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls fileutil.init
Error:       #2: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls logutil.CreateDefaultZapLogger
Error:       #3: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls logutil.init
Error:       #4: pkg/providers/v1/aws_metrics.go:67:17: providers.registerMetrics calls sync.Once.Do, which eventually calls logutil.init
Error:       #5: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls systemd.init
Error:       #6: pkg/controllers/tagging/tagging_controller.go:191:2: tagging.Controller.Run calls wait.Until, which eventually calls tlsutil.NewCert
Error:       #7: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls tlsutil.init
Error:       #8: pkg/providers/v1/aws.go:1070:38: providers.IsAWSErrorInstanceNotFound calls prometheus.MultiError.Error, which eventually calls transport.baseConfig
Error:       #9: pkg/providers/v1/aws.go:1070:38: providers.IsAWSErrorInstanceNotFound calls prometheus.MultiError.Error, which eventually calls transport.baseConfig
Error:       #10: pkg/controllers/tagging/tagging_controller.go:191:2: tagging.Controller.Run calls wait.Until, which eventually calls transport.baseConfig
Error:       #11: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls transport.init
Error:       #12: cmd/aws-cloud-controller-manager/main.go:38:2: aws.init calls options.init, which eventually calls types.init

Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
Error: Process completed with exit code 3.

[ahrtr]

Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3 is mentioned in https://pkg.go.dev/vuln/GO-2024-2527.

Insecure cipher suite is indeed allowed in etcd client pkg. Pls refer to client/pkg/tlsutil/cipher_suites.go#L30-L34. Users can configure it using the flag --cipher-suites, and a safe default list is used if empty.

So the GO-2024-2527 is still valid, but I think the severity is low, so no any action is required. Also Note that TLS 1.3 ciphersuites are not configurable.

[harshavardhana]

Incorrect assessment of the published security errata - Indicates that it's already addressed in specific versions (refer screenshot); also, --cipher-suites is an argument that the etcd server has nothing to do with dependent libraries of using etcd clients.

Whoever updated the Go vulnerability must revert it. Otherwise, we need to stop using this tool altogether, as it's no longer reliable.

[ahrtr]

We need to update github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp.

• All etcd versions are affected.
• But the severity is low as mentioned above x/vulndb: suggestion regarding GO-2024-2527 #2952 (comment)

Not sure whether the github.com/advisories/GHSA-5x4g-q5rc-36jp will be automatically updated after we update the etcd/security/advisories/GHSA-5x4g-q5rc-36jp.

cc @jmhbnz @serathius @spzala @wenjiaswe @dims

[timothy-king]

Thank you for the report. We will look into this.