mrtc0 / bouheki Goto Github PK

Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

YAML support for the Go language.

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-28948	Medium	5.5	github.com/go-yaml/yaml-v2.4.0	Direct	v3.0.0	❌

Details

CVE-2022-28948

Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

YAML support for the Go language.

Dependency Hierarchy:

• ❌ github.com/go-yaml/yaml-v2.4.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm53-mpmp-7qw2

Release Date: 2022-05-19

Fix Resolution: v3.0.0

Step up your Open Source Security Game with Mend here

I want to be able to use * (e.g. *.example.com`) as allowed/denied domains.

The current implementation performs domain name resolution periodically. There is a problem with this implementation: if the TTL is shorter than the cycle for name resolution, the restriction will not work correctly.

Examples of domain names with short TTL are github.com. and s3-ap-northeast-1-w.amazonaws.com. .

For example, if you include these domains in your deny list, depending on the timing of name resolution, communication may be allowed, bypassing the restriction.
I have considered several implementations to solve this issue.

1. TTL value-based name resolution

We have considered name resolution at the time the TTL reaches 0, but this is not a fundamental solution. It can still be bypassed depending on timing.

2. DNS Proxy

Stop systemd-resolved, etc. and prepare another DNS Proxy instead. This may work well, but it is not smart to change the host's DNS settings...
Incidentally, it is also possible to create a plugin for NSS, but since not all programs depend on glibc, we will not adopt this approach.

3. eBPF

It is possible if you can successfully parse the name resolution request and response within the eBPF program, but I need to investigate if this is possible. And the same may be achieved with XDP.