ghsa-6c7m-qwxj-mvhp
Vulnerability from github
Published
2021-11-19 20:55
Modified
2021-11-24 19:01
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Summary
Broken encryption in EdgeX Foundry
Details

Summary

Broken encryption in app-functions-sdk “AES” transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors.

Detailed Description

The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation in https://github.com/edgexfoundry/app-functions-sdk-go/blob/v1.0.0/pkg/transforms/encryption.go

Version v2.1.0 (EdgeX Foundry Jakarta release and later) of app-functions-sdk-go/v2 deprecates the “aes” transform and provides an improved “aes256” transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation.

Impact

As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new "aes256" transform.

Vulnerable go modules

  • github.com/edgexfoundry/app-functions-sdk-go < v2.1.0
  • github.com/edgexfoundry/app-functions-sdk-go/v2 < v2.1.0
  • github.com/edgexfoundry/app-service-configurable < v2.1.0

Vulnerable containers

  • https://hub.docker.com/r/edgexfoundry/app-service-configurable >= 2.0.0 < v2.1.0
  • https://hub.docker.com/r/edgexfoundry/app-service-configurable-arm64 >= 2.0.0 < 2.1.0
  • https://hub.docker.com/r/edgexfoundry/docker-app-service-configurable < 2.0.0
  • https://hub.docker.com/r/edgexfoundry/docker-app-service-configurable-arm64 < 2.0.0

Vulnerable Snaps

  • https://snapcraft.io/edgex-app-service-configurable >= 2.0.0 < 2.1.0

Patches

Upgrade to 2.1.0 version of app-functions-sdk-go/v2, app-service-configurable, and related docker containers shown below and modify user scripts to use the new "aes256" transform in place of the existing "aes" transform.

Patched go modules

  • github.com/edgexfoundry/app-functions-sdk-go/v2 v2.1.0
  • github.com/edgexfoundry/app-service-configurable v2.1.0

Modification of user scripts is necessary for full remediation.

Patched containers

  • https://hub.docker.com/r/edgexfoundry/app-service-configurable:>=2.1.0
  • https://hub.docker.com/r/edgexfoundry/app-service-configurable-arm64:>=2.1.0

Modification of user scripts is necessary for full remediation.

Patched Snaps

  • https://snapcraft.io/edgex-app-service-configurable >= 2.1.0

Modification of user scripts is necessary for full remediation.

Workarounds

If unable to upgrade, change the processing pipeline to use an HTTPS (TLS 1.3) endpoint to export and skip encryption.

References

For more information

If you have any questions or comments about this advisory: * Contact us in the Slack #security channel * Open an issue in edgex-go * Email us at EdgeX-TSC-Security@lists.edgexfoundry.org

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgexfoundry/app-functions-sdk-go/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgexfoundry/app-functions-sdk-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgexfoundry/app-service-configurable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-18T23:05:06Z",
    "nvd_published_at": "2021-11-19T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nBroken encryption in app-functions-sdk \u201cAES\u201d transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors.\n\n### Detailed Description\nThe app-functions-sdk exports an \u201caes\u201d transform that user scripts can optionally call to encrypt data in the processing pipeline.  No decrypt function is provided.  Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation in https://github.com/edgexfoundry/app-functions-sdk-go/blob/v1.0.0/pkg/transforms/encryption.go \n\nVersion v2.1.0 (EdgeX Foundry Jakarta release and later) of app-functions-sdk-go/v2 deprecates the \u201caes\u201d transform and provides an improved \u201caes256\u201d transform in its place.  The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation.\n\n### Impact\nAs the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected.  Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new \"aes256\" transform.\n\n#### Vulnerable go modules\n- github.com/edgexfoundry/app-functions-sdk-go  \u003c v2.1.0\n- github.com/edgexfoundry/app-functions-sdk-go/v2  \u003c v2.1.0\n- github.com/edgexfoundry/app-service-configurable \u003c v2.1.0\n\n#### Vulnerable containers\n- https://hub.docker.com/r/edgexfoundry/app-service-configurable \u003e= 2.0.0 \u003c v2.1.0\n- https://hub.docker.com/r/edgexfoundry/app-service-configurable-arm64  \u003e= 2.0.0 \u003c 2.1.0\n- https://hub.docker.com/r/edgexfoundry/docker-app-service-configurable  \u003c 2.0.0\n- https://hub.docker.com/r/edgexfoundry/docker-app-service-configurable-arm64 \u003c 2.0.0 \n\n#### Vulnerable Snaps\n- https://snapcraft.io/edgex-app-service-configurable \u003e= 2.0.0 \u003c 2.1.0\n\n### Patches\nUpgrade to 2.1.0 version of app-functions-sdk-go/v2, app-service-configurable, and related docker containers shown below and modify user scripts to use the new \"aes256\" transform in place of the existing \"aes\" transform.\n\n#### Patched go modules\n- github.com/edgexfoundry/app-functions-sdk-go/v2 v2.1.0\n- github.com/edgexfoundry/app-service-configurable v2.1.0\n\nModification of user scripts is necessary for full remediation.\n\n#### Patched containers\n- https://hub.docker.com/r/edgexfoundry/app-service-configurable:\u003e=2.1.0\n- https://hub.docker.com/r/edgexfoundry/app-service-configurable-arm64:\u003e=2.1.0\n\nModification of user scripts is necessary for full remediation.\n\n#### Patched Snaps\n- https://snapcraft.io/edgex-app-service-configurable \u003e= 2.1.0\n\nModification of user scripts is necessary for full remediation.\n\n### Workarounds\nIf unable to upgrade, change the processing pipeline to use an HTTPS (TLS 1.3) endpoint to export and skip encryption.\n\n### References\n* [2.0 documentation](https://docs.edgexfoundry.org/2.0/microservices/application/BuiltIn/#aes)\n* [2.1 documentation](https://docs.edgexfoundry.org/2.1/microservices/application/BuiltIn/#encryption-deprecated)\n* [GitHub issue](https://github.com/edgexfoundry/app-functions-sdk-go/issues/968)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact us in the [Slack #security channel](https://slack.edgexfoundry.org/)\n* Open an issue in [edgex-go](https://github.com/edgexfoundry/edgex-go)\n* Email us at [EdgeX-TSC-Security@lists.edgexfoundry.org](mailto:EdgeX-TSC-Security@lists.edgexfoundry.org)",
  "id": "GHSA-6c7m-qwxj-mvhp",
  "modified": "2021-11-24T19:01:48Z",
  "published": "2021-11-19T20:55:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgexfoundry/app-functions-sdk-go/security/advisories/GHSA-6c7m-qwxj-mvhp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgexfoundry/app-functions-sdk-go/commit/8fa13c6388ce76a6b878b54490eac61aa7d81165"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgexfoundry/app-functions-sdk-go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Broken encryption in EdgeX Foundry"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.