CVE-2023-45288 on 3.5.14

[charlie-ang-collibra]

Hi! I'm unfamiliar with posting to this forum, so please bear with me if there are rules that I fail to follow 🙏

I am looking to address CVE-2023-45288 for my organization that is discovered by Snyk when scanning etcd 3.5.13.

My understanding (from #17703) was that golang/x/net was upgraded to 0.23.0 as per the merge to go.mod and go.sum in https://github.com/etcd-io/etcd/pull/17708/files). These changes were supposedly released in 3.5.14

However, when I try to use etcd 3.5.14 using the bitnami/etcd or the coreos/etcd docker images, snyk continues to find version 0.17.0

When I download the actual binary release from the https://storage.googleapis.com/etcd/v3.5.14/etcd-v3.5.14-darwin-amd64.zip, and unpack it, the go version result corroborates that it finds 0.17.0.

Am I missing anything here? Please help. Thanks.

[charlie-ang-collibra]

Hi @henrybear327, I'm hoping you might be able to help me confirm if this is just an error on my side, or if the CVE is still open?

It looks like the patch was only made to the main go.mod, while the corresponding go.mod files under client, etcdutl and etcdctl remained unpatched?

Thank you so much in advance.

[henrybear327]

@ahrtr I think I need to address 2 issues (and I am on it now)

• patch the missed updates
• patch the CI regarding the vulnerability checker

Based on the grep log I indeed missed other go.mod files, and the CI also didn't catch this...

➜  etcd git:(release-3.5) ✗ grep -Ri "golang.org/x/net v" | grep -v sum
./etcdutl/go.mod:       golang.org/x/net v0.17.0 // indirect
./go.mod:       golang.org/x/net v0.23.0 // indirect
./tools/mod/go.mod:     golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
./etcdctl/go.mod:       golang.org/x/net v0.17.0 // indirect
./tests/go.mod: golang.org/x/net v0.17.0 // indirect
./server/go.mod:        golang.org/x/net v0.17.0
./api/go.mod:   golang.org/x/net v0.17.0 // indirect
./client/v3/go.mod:     golang.org/x/net v0.17.0 // indirect
./pkg/go.mod:   golang.org/x/net v0.17.0 // indirect

[charlie-ang-collibra]

Thank you, @henrybear327. I wasn't sure if this was the right way to ask the question. 🙏

[henrybear327]

Thanks for flagging this @charlie-ang-collibra :)
I wasn't aware that I missed those and the CI also missed these.

[charlie-ang-collibra]

No worries. We're always happy for your support on etcd!

[henrybear327]

Initial PR for release branch 3.5 regarding CI and dependency updates is up for review!

[ahrtr]

@ahrtr I think I need to address 2 issues (and I am on it now)

• patch the missed updates
• patch the CI regarding the vulnerability checker

Based on the grep log I indeed missed other go.mod files, and the CI also didn't catch this...

➜  etcd git:(release-3.5) ✗ grep -Ri "golang.org/x/net v" | grep -v sum
./etcdutl/go.mod:       golang.org/x/net v0.17.0 // indirect
./go.mod:       golang.org/x/net v0.23.0 // indirect
./tools/mod/go.mod:     golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
./etcdctl/go.mod:       golang.org/x/net v0.17.0 // indirect
./tests/go.mod: golang.org/x/net v0.17.0 // indirect
./server/go.mod:        golang.org/x/net v0.17.0
./api/go.mod:   golang.org/x/net v0.17.0 // indirect
./client/v3/go.mod:     golang.org/x/net v0.17.0 // indirect
./pkg/go.mod:   golang.org/x/net v0.17.0 // indirect

Thanks @henrybear327 for the investigation.

Human make mistakes. I think we should also consider enhancing our workflow to automatically identify such inconsistencies.

[henrybear327]

@ahrtr I think I need to address 2 issues (and I am on it now)

• patch the missed updates
• patch the CI regarding the vulnerability checker

Based on the grep log I indeed missed other go.mod files, and the CI also didn't catch this...

➜  etcd git:(release-3.5) ✗ grep -Ri "golang.org/x/net v" | grep -v sum
./etcdutl/go.mod:       golang.org/x/net v0.17.0 // indirect
./go.mod:       golang.org/x/net v0.23.0 // indirect
./tools/mod/go.mod:     golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
./etcdctl/go.mod:       golang.org/x/net v0.17.0 // indirect
./tests/go.mod: golang.org/x/net v0.17.0 // indirect
./server/go.mod:        golang.org/x/net v0.17.0
./api/go.mod:   golang.org/x/net v0.17.0 // indirect
./client/v3/go.mod:     golang.org/x/net v0.17.0 // indirect
./pkg/go.mod:   golang.org/x/net v0.17.0 // indirect

Thanks @henrybear327 for the investigation.

Human make mistakes. I think we should also consider enhancing our workflow to automatically identify such inconsistencies.

Thanks @ahrtr for the kind words!

I will take care of the enhancement with @ivanvc

[charlie-ang-collibra]

Thank you for being super-responsive!

[ivanvc]

I created the issues #18180 and #18173 to track the enhancements. Henry solved the dependency issue with pull request #18170.