[GODRIVER-1748] CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2 Created: 10/Sep/20  Updated: 28/Oct/23  Resolved: 25/Sep/20

Status: Closed
Project: Go Driver
Component/s: Core API
Affects Version/s: 1.4.1
Fix Version/s: 1.4.2

Type: Bug Priority: Major - P3
Reporter: Nicholas Beenham Assignee: Divjot Arora (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The latest of the mongo-go-driver imports 2 packages which in turn import gopkg.in/yaml.v2-v2.2.2, this has a vulnerability identified in https://nvd.nist.gov/vuln/detail/CVE-2019-11254 and first exposed in the kubernetes API - https://github.com/kubernetes/kubernetes/issues/89535 

The 2 packages are:

github.com/pelletier/go-toml@v1.4.0

github.com/stretchr/testify@v1.4.0

the current versions of both package are patched to a higher level of the yaml package.



 Comments   
Comment by Divjot Arora (Inactive) [ 25/Sep/20 ]

nicholas_beenham@cable.comcast.com Once again, thanks for bringing this to our attention! It required some back and forth, but we've upgraded all required dependencies to ensure that we only depend on go-yaml v2.2.8 and higher. I've backported this work so it will be available in the upcoming 1.4.2 release.

– Divjot

Comment by Githook User [ 25/Sep/20 ]

Author:

{'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}

Message: GODRIVER-1748 Upgrade transitive go-yaml dependency (#505)

This commit upgrades our direct aws-sdk-go, go-toml and testify
dependencies, which transitively depend on go-yaml to address
CVE-2019-11254.
Branch: release/1.4
https://github.com/mongodb/mongo-go-driver/commit/44a08b7d04549d3f72d94aa926a633f583650c84

Comment by Githook User [ 25/Sep/20 ]

Author:

{'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}

Message: GODRIVER-1748 Upgrade transitive go-yaml dependency (#505)

This commit upgrades our direct aws-sdk-go, go-toml and testify
dependencies, which transitively depend on go-yaml to address
CVE-2019-11254.
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/93c2b896c41e4f14bfaa701588522c89f22b48ef

Comment by Divjot Arora (Inactive) [ 22/Sep/20 ]

nicholas_beenham@cable.comcast.com Thanks for keeping us posted on the developments for this. I've opened https://github.com/mongodb/mongo-go-driver/pull/505 to upgrade our go-toml, testify, and aws-sdk-go dependencies.

Comment by Nicholas Beenham [ 22/Sep/20 ]

https://github.com/aws/aws-sdk-go/blob/v1.34.28/go.mod

You should be good now, the latest release has the updated package

Comment by Nicholas Beenham [ 19/Sep/20 ]

Looks like the latest go-jmespath@0.4.0 has been updated, I think we'll see aws-sdk-go updated shortly.

 

https://github.com/aws/aws-sdk-go/pull/3546

Comment by Divjot Arora (Inactive) [ 18/Sep/20 ]

Thanks for the update. I'll keep an eye on it. Once that's merged, we'd have to wait for a new go-jmespath release and then ask for aws-sdk-go to upgrade to that release. I'm not really sure what the right state for this ticket is at this time because there's no work for us to do here, but I also don't want it to get lost in the backlog, so I'm going to leave it in "Investigating". I've subscribed to notifications on the go-jmespath PR so we can move forward once we see progress there.

– Divjot

Comment by Nicholas Beenham [ 18/Sep/20 ]

Someone beat me to to by half an hour! https://github.com/jmespath/go-jmespath/pull/55 there is a PR open to update based on the CVE.

Comment by Divjot Arora (Inactive) [ 18/Sep/20 ]

nicholas_beenham@cable.comcast.com I think you'd have to reach out to github.com/jmespath/go-jmespath because v0.3.0 is the latest release of that module and it imports testify@v1.5.1, but testify's gopkg.in/yaml dependency wasn't bumped to v3 until v.1.6.0.

Comment by Nicholas Beenham [ 17/Sep/20 ]

Thanks! I'm going to reach out to AWS and see what they are going to do about the SDK

Comment by Divjot Arora (Inactive) [ 16/Sep/20 ]

Hi nicholas_beenham@cable.comcast.com,

Thanks for reporting this vulnerability. I'm working on upgrading the packages, but am running into a dead end. I upgraded testify and go-toml to the most recent versions, but gopkg.in/yaml.v2 v2.2.2 still shows up in our go.sum. I then upgraded aws-sdk-go to its latest version (v1.34.25) as it relied on an older testify version. v1.2.2 of gopkg.in/yaml.v2 is still showing up in go.sum.

Running "go mod graph" shows this chain:

github.com/aws/aws-sdk-go@v1.34.25 -> github.com/jmespath/go-jmespath@v0.3.0

github.com/jmespath/go-jmespath@v0.3.0 github.com/stretchr/testify@v1.5.1

github.com/stretchr/testify@v1.5.1 gopkg.in/yaml.v2@v2.2.2

Do you know if this will still be problematic? If it helps, my work so far is at https://github.com/divjotarora/mongo-go-driver/tree/godriver1748-yaml-upgrade.

Generated at Thu Feb 08 08:37:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.