-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
indy-plenum running on Ubuntu 20.04 is running a vulnerable version of sha3_256, issue is CVE-2022-37454 #1644
Comments
We did some test on a recently installed indy / ubuntu 20.04 system. |
Thanks to @lynnbendixsen lending his test system, I did run a few test cases, and consider that we should be safe upgrading the 22.04-based ubuntu indy systems. To run the following tests I provisionned a 100K domain nym transactions, to make sure that catch-up would happen, and also kept adding new NYMs while doing the various test cases:
I'm happy to announce that the 4-nodes indy cluster recovered in all the situations I put it through.
|
Thanks @pruneau628 and @lynnbendixsen |
Yes, thanks @pruneau628 and @lynnbendixsen. I verified on a test cluster as well, the only change I made to the script was to run |
@pruneau628 I've addressed this through #1679. Are you ok if we close this issue? |
This problem was flagged by Quebec MCN security team.
OS release:
Indy release:
Given the code loading the sha3_256 function in [utils.py](https://github.com/hyperledger/indy-plenum/blob/698b9500ad3a7a15993af72a1c35a406c5673262/state/util/utils.py], line 5-12, we tried this, to check which underlying OS library was used:
The last part of those traces clearly show that the underlying c objects are coming from
'/usr/lib/python3/dist-packages/_pysha3.cpython-38-x86_64-linux-gnu.so
And this shows that this was installed through an official ubuntu package:
Knowing this, and that the fix is available in ubuntu https://changelogs.ubuntu.com/changelogs/pool/universe/p/pysha3/pysha3_1.0.2-4ubuntu0.1/changelog
We are planning to test this procedure on an ubuntu node:
Then for starters, see if the upgraded node manage to reach consensus once restarted.
We will inform this issue of the developments, but any advice on better regression tests methods are welcome.
The text was updated successfully, but these errors were encountered: