CosmWasm · webmaster128 · Dec 10, 2024 · Nov 21, 2024 · Dec 10, 2024 · Dec 10, 2024
diff --git a/CWAs/CWA-2024-009.md b/CWAs/CWA-2024-009.md
@@ -0,0 +1,76 @@
+# CWA-2024-009
+
+**Severity**
+
+Low (Marginal + Likely)[^1]
+
+**Affected versions:**
+
+- wasmd < 0.53.1
+
+**Patched versions:**
+
+- wasmd 0.53.1
+
+## Description of the bug
+
+(Blank for now. We'll add more detail once chains had a chance to upgrade.)
+
+## Mitigations
+
+Apart from upgrading, it is recommended to **not** open the gRPC and REST APIs of _validator_ nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead.
+These can then easily be thrown away and replaced with new instances in case of problems.
+
+## Applying the patch
+
+### Official Wasmd patch
+
+The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically.
+If you already use the latest / close to latest wasmd, you can update more or less as follows:
+
+1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd`
+2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.1 (Cosmos SDK 0.50 compatible); `go mod tidy`; commit.
+3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version.
+4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.1.
+5. Follow your regular practices to deploy chain upgrades.
+
+To double check if the correct library version is loaded at runtime, use this query:
+`<appd> query wasm libwasmvm-version`. It must show 2.1.4.
+
+The patch is not consensus breaking _if you are already using wasmvm 2.1.3_.
+If you are instead using wasmvm 2.1.2, then upgrading to 2.1.4 includes the consensus breaking changes of 2.1.3.
+
+### DIY Patch
+
+If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at [Wasmd 0.53.1](https://github.com/CosmWasm/wasmd/compare/v0.53.0...v0.53.1).
+However, if you are on an older version of wasmd, you will also be using a different version of wasmvm. We provide the required patches for wasmvm in versions 2.1.4, 2.0.5, 1.5.6.
+To upgrade using this method:
+
+1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and upgrade
+   to the closest patched version.
+2. Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to the closest compatible patched version (either 2.1.4, 2.0.5 or 1.5.6); go mod tidy; commit.
+3. Apply the patch linked above to your version of wasmd.
+4. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version.
+5. Follow your regular practices to deploy chain upgrades.
+
+To double check if the correct library version is loaded at runtime, use this query:
+`<appd> query wasm libwasmvm-version`. It must show 2.1.4, 2.0.5 or 1.5.6 and must be the same as the wasmvm version in your go.sum.
+
+The patch is not consensus breaking as long as you were using the previous patch version of wasmvm before.
+
+## Acknowledgement
+
+This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
+
+If you believe you have found a bug in the Interchain Stack or would like to contribute to the
+program by reporting a bug, please see <https://hackerone.com/cosmos>.
+
+## Timeline
+
+- 2024-09-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
+- 2024-09-30: Confio security contributors confirm the report.
+- 2024-11-21: Confio developed the patch internally.
+- 2024-12-06: Patch release is pre-announced through notification lists.
+- 2024-12-10: Patch released.
+
+[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md
diff --git a/CWAs/README.md b/CWAs/README.md
@@ -4,6 +4,7 @@
 
 | Severity[^1] | Scope[^2] | ID                                                                      | Aliases                                    |
 | ------------ | --------- | ----------------------------------------------------------------------- | ------------------------------------------ |
+| Low          | VM        | [CWA-2024-009][CWA-2024-009]                                            |
 | Medium       | VM        | [CWA-2024-008][CWA-2024-008]                                            |                                            |
 | Medium       | VM        | [CWA-2024-007][CWA-2024-007]                                            |                                            |
 | Medium       | x/wasm    | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx]                      |
@@ -13,6 +14,7 @@
 | Medium       | Contracts | [CWA-2024-002: Arithmetic overflows in cosmwasm-std][CWA-2024-002]      | [RUSTSEC-2024-0338], [GHSA-8724-5xmm-w5xq] |
 | Low          | Contracts | [CWA-2024-001: Stack overflow in serde-json-wasm][CWA-2024-001]         | [RUSTSEC-2024-0012], [GHSA-rr69-rxr6-8qwf] |
 
+[CWA-2024-009]: ./CWA-2024-009.md
 [CWA-2024-008]: ./CWA-2024-008.md
 [CWA-2024-007]: ./CWA-2024-007.md
 [CWA-2024-006]: ./CWA-2024-006.md