GHSA-vmqh-5232-v43r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vmqh-5232-v43r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-vmqh-5232-v43r/GHSA-vmqh-5232-v43r.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-vmqh-5232-v43r
- Published
- 2024-12-10T16:55:37Z
- Modified
- 2024-12-10T16:55:37Z
- Summary
- Panic in wasmvm can slow down block production
- Details
-
CWA-2024-008
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
- wasmvm >= 2.1.0, < 2.1.3
- wasmvm >= 2.0.0, < 2.0.4
- wasmvm < 1.5.5
- cosmwasm-vm >= 2.1.0, < 2.1.4
- cosmwasm-vm >= 2.0.0, < 2.0.7
- cosmwasm-vm < 1.5.8
Patched versions:
- wasmvm 1.5.5, 2.0.4, 2.1.3
- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
- 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd
- 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4
- 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
- Check the current wasmvm version:
go list -m github.com/CosmWasm/wasmvm - Bump the
github.com/CosmWasm/wasmvmdependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are;go mod tidy; commit. - If you use the static libraries
libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly. - Check the updated wasmvm version:
go list -m github.com/CosmWasm/wasmvmand ensure you see 1.5.5, 2.0.4, 2.1.3. - Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.The patch is consensus breaking and requires a coordinated upgrade.
Acknowledgement
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
Timeline
- 2024-08-22: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
- 2024-08-23: Confio security contributors confirm the report.
- 2024-09-09: Confio developed the patch internally.
- 2024-09-23: Patch is released.
- Database specific
{ "cwe_ids": [], "github_reviewed_at": "2024-12-10T16:55:37Z", "github_reviewed": true, "nvd_published_at": null, "severity": "MODERATE" }- References
-
- https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-vmqh-5232-v43r
- https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb
- https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd
- https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4
- https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-008.md
- https://github.com/CosmWasm/wasmvm
Affected packages
crates.io
cosmwasm-vm
Package
- Name
- cosmwasm-vm
- View open source insights on deps.dev
- Purl
- pkg:cargo/cosmwasm-vm
cosmwasm-vm
Package
- Name
- cosmwasm-vm
- View open source insights on deps.dev
- Purl
- pkg:cargo/cosmwasm-vm
cosmwasm-vm
Package
- Name
- cosmwasm-vm
- View open source insights on deps.dev
- Purl
- pkg:cargo/cosmwasm-vm
Go
github.com/CosmWasm/wasmvm/v2
Package
- Name
- github.com/CosmWasm/wasmvm/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/CosmWasm/wasmvm/v2
github.com/CosmWasm/wasmvm/v2
Package
- Name
- github.com/CosmWasm/wasmvm/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/CosmWasm/wasmvm/v2
github.com/CosmWasm/wasmvm
Package
- Name
- github.com/CosmWasm/wasmvm
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/CosmWasm/wasmvm