Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-31121: Release v2.2.7 · hyperledger/fabric

Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue.

CVE
#ios#apache#nodejs#js#git#java#perl#aws#auth#docker#jira#ssl

v2.2.7 Release Notes - July 1, 2022****Fixes

orderer - Handle malformed consensus request

If a consensus client sends a malformed consensus request to an orderer it may crash the orderer node.
This fix checks for the malformed consensus request and returns an error to the consensus client.

Dependencies

Fabric v2.2.7 has been tested with the following dependencies:

  • Go 1.18.2
  • CouchDB v3.2.2

Fabric docker images on dockerhub utilize Alpine 3.16.

Deprecations (existing)

FAB-15754: The ‘Solo’ consensus type is deprecated.

The ‘Solo’ consensus type has always been marked non-production and should be in
use only in test environments, however for compatibility it is still available,
but may be removed entirely in a future release.

FAB-16408: The ‘Kafka’ consensus type is deprecated.

The ‘Raft’ consensus type was introduced in v1.4.1 and has become the preferred
production consensus type. There is a documented and tested migration path from
Kafka to Raft, and existing users should migrate to the newer Raft consensus type.
For compatibility with existing deployments, Kafka is still supported,
but may be removed entirely in a future release.
Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.

Fabric CouchDB image is deprecated

v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.
If prior versions are utilized, a Warning will appear in peer log.
Note that CouchDB 3.1.0 requires that an admin username and password be set,
while this was optional in CouchDB v2.x. See the
Fabric CouchDB documentation
for configuration details.
Also note that CouchDB 3.1.0 default max_document_size is reduced to 8MB. Set a higher value if needed in your environment.
Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.
Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.

FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.

Utilize the new ‘OrdererEndpoints’ stanza within the channel configuration of an organization instead.
Configuring orderer endpoints at the organization level accommodates
scenarios where orderers are run by different organizations. Using
this configuration ensures that only the TLS CA certificates of that organization
are used for orderer communications, in contrast to the global channel level endpoints which
would cause an aggregation of all orderer TLS CA certificates across
all orderer organizations to be used for orderer communications.

FAB-17428: Support for configtxgen flag --outputAnchorPeersUpdate is deprecated.

The --outputAnchorPeersUpdate mechanism for updating anchor peers has always had
limitations (for instance, it only works the first time anchor peers are updated).
Instead, anchor peer updates should be performed through the normal config update flow.

FAB-15406: The fabric-tools docker image is deprecated

The fabric-tools docker image will not be published in future Fabric releases.
Instead of using the fabric-tools docker image, users should utilize the
published Fabric binaries. The Fabric binaries can be used to make client calls
to Fabric runtime components, regardless of where the Fabric components are running.

FAB-15317: Block dissemination via gossip is deprecated

Block dissemination via gossip is deprecated and may be removed in a future release.
Fabric peers can be configured to receive blocks directly from an ordering service
node by using the following configuration:

peer.gossip.orgLeader: true
peer.gossip.useLeaderElection: false
peer.gossip.state.enabled: false
peer.deliveryclient.blockGossipEnabled: false

FAB-15061: Legacy chaincode lifecycle is deprecated

The legacy chaincode lifecycle from v1.x is deprecated and will be removed
in a future release. To prepare for the eventual removal, utilize the v2.x
chaincode lifecycle instead, by enabling V2_0 application capability on all
channels, and redeploying all chaincodes using the v2.x lifecycle. The new
chaincode lifecycle provides a more flexible and robust governance model
for chaincodes. For more details see the
documentation for enabling the new lifecycle.

Changes:

  • 7f22e99 Release commit for v2.2.7 (#3504)
  • 80bcc18 Check if inner consensus message is missing
  • e7dc57d Release commit for v2.2.6 (#3488)
  • 862ab4d Add logging for identity, policy, and signature troubleshooting (release-2.2) (#3483) [ #3006 ]
  • b7aaeb8 Fix gossip unit test flake (#3215)
  • 2dc7d5c Bump Alpine to 3.16 (release-2.2) (#3473)
  • 2d286f1 Fixed Found Typos
  • b24f2c0 Add -buildvcs=false for building binaries
  • dd3e96e Update ‘Using Private Data in Fabric’ tutorial (Backport #1875)
  • 61561dd bump Go to 1.18.2 (release-2.2)

See More

  • b17d01a bump golang.org/x/crypto and golang.org/x/tools (release-2.2) (#3436)
  • 21e522b bump go-dockerclient (release-2.2) (#3435) [ #2338 ]
  • df783d6 Remove duplicated line
  • eabe68b Fix some errors in the tutorial
  • 4f61890 Bump CouchDB to 3.2.2 (release-2.2)
  • 8be2067 Fix mistake change ‘curl’ to ‘git’
  • 2deacba Fix doc to handle $PWD containing whitepaces
  • 6a1071e Update README build badge link
  • fa43e61 Update links for Jira to GitHub issue transition in README
  • 4b1bfbf Update boostrap.sh for test network
  • e728001 Update documentation to include Go SDK
  • 449ef0a Fix link to security bug reporting process (#2160)
  • 2f4eb7f Update “master” branch references to "main".
  • 09393f6 Update chaincode language parameter name
  • ed67dbe Fix hyperlink
  • 61d5840 Fix warning log printing
  • 578a648 Properly handle concurrent building of chaincode packages
  • cfbb980 Documentation: Update network (Key Concepts) page
  • 0d79dd2 certs mgmt guide (#3307)
  • 0132f2a Additional TLS troubleshooting information (#3346)
  • 4ab9059 Ignore channel double creation during replication. [ #2931 ]
  • e2f05e6 Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3255)
  • 68b6b90 Fix FAB-18528: remove panic in ifConfig func (#2828)
  • f7318ff Release commit for v2.2.5
  • c04cd7d Bump Go to 1.17.5 (release-2.2) (#3186)
  • 4996e82 - Fix failure to generate all possible combinations (backport #3132) (#3150)
  • 162f867 Add Information about AWS HSM
  • fcdc0b5 Backport setEvent information to 2.2 [ #2958 ]
  • acf88a0 [Backport] #2936 to release-2.2 (#2953)
  • eddb470 Unit test flake when rpc server stream not closed (backport #2935) (#2942)
  • 19a137b Fix broken links for international workgroups (#2920)
  • 2088b5f Update docs for Jira to GitHub issue transition
  • 263ca9e Release commit for v2.2.4 (#2901)
  • 029e6ed Fixed a typo in private_data_tutorial
  • 1eedcff Update Go to v1.16.7 and alpine to 3.14 (release-2.2)
  • 851f838 Fix process termination waits in health tests (#2889)
  • e6a6a61 platform/golang: loosen assertion for Go 1.16.2 (release-2.2)
  • ba2a9f1 deps: bump testify (release-2.2) (#2886) [ #2336 ]
  • 50064c8 Update x509.CertPool equality checks (#2880)
  • f441ba2 Change name of test network docker network in 2.2
  • 859c7d5 Clean up Go modules (release-2.2) (#2876)
  • 07ac9f5 Stop spamming for wait channel acquirement in orderer integration test
  • b076bd7 Options for GRPC message size configurable
  • c91b546 Change name of comm msg size default consts
  • da9e1bd Refactor max message sizes in comm client config
  • fbf7b93 FAB18529 added nil check in channel header parsing
  • 9a6b351 Additional documentation for implicit private data collections
  • 8fd2ad8 [FAB-18509] Stop panic of collection index path is wrong (#2726) (#2744)
  • 62c68d1 Updated enrollUser function in write_first_app Doc (#2713)
  • a0dcb5c Update docs to clarify that an implicit collection can not have an index
  • 2f7fd17 Fixed grammatical errors
  • f36fe03 [Doc-Update] + What is a commercial paper section
  • 8b1d355 Fix a typo in CouchDB tutorial
  • 4c77749 Fix typo
  • f3f170f Fix peerchaincode.md as well
  • 30a0931 Add explanation of --ctor JSON string
  • b926247 Clarify orderers seeing the transaction data
  • f4feedb Cherry pick deploy CC fixes into release-2.2
  • 68bc522 Clarify “identity expired” error messages (#2685) (#2688)
  • 3a69034 Fix spelling mistakes in the Github Contributions page
  • ccecf10 [FAB-18484] Return transaction forwarding result back to the client synchronously
  • 7e61944 [FAB-18487] Update broken link in 2.2 branch
  • 186d9bf Typo fix in peer deployment guide in main (#2660)
  • 31e41ce Update private_data_tutorial.rst
  • 4cb453e Fix jq commands in create channel tutorial (#2662)
  • 8851da3 Back port 2023 - skip empty ledge and 2635 - RetrieveBlockByNumber (#2648) [ #2023, #2635 ]
  • cc50451 Clarify doc for readset validations (#2647) (#2655)
  • 3548215 Update secured_private_asset_transfer_tutorial.md
  • 56b3689 [FAB-18479] Log error if orderer can’t forward SubmitRequest to Raft leader
  • dd7e921 fix duplicate entry in code snippet
  • 7871c26 Optionally disable gossip block forwarding (#2606)
  • bce75cf Update docs/source/upgrade_to_newest_version.md
  • 678523b Govendor added to documentation
  • 26b45ca Deploy a chaincode to new channel command issue
  • 3f2158a Improve error message for invalid consenter cert (#2587)
  • 94ace65 v2.2.3 release commit
  • d272122 Cherry pick removing duplicate word (#2523)
  • 222fbc8 Add Security Model topic to docs
  • 8116872 Fix link in international_languages.md
  • 496c5f5 integration: PKCS#11 SKI to CKA_ID mapping test
  • d2d031e pkcs11: Add SKI to CKA_ID mapping for BCCSP [ #11 ]
  • 7214be7 Prevent race that occurs after test timeout
  • 6adcbce integration: backport chaincode_server_test
  • 8843223 Back-fill tests for externalbuilder.Duration
  • 796f760 This commit upgrades goleveldb. This upgraded version includes a fix for [ #2463 ]
  • fae13c3 Report correct reason of stream abort in orderer cluster
  • 2b2e154 Log stream total lifetime
  • 100a7e7 corrected organization labels
  • 6320aed corrected Org1 text in Org2 box to Org2
  • 8d0645b Update build to use Go 1.15
  • 6cb530b Change string cast of int value to rune cast
  • d539244 Directives are in comment text instead of groups
  • a1b4d2d Implement legacy name constraints verification
  • 4321503 Add test to assert on name constraint behavior
  • 880914c Re-encode ECDSA CRL signature during MSP setup
  • 8883d71 Add test to exercise signature validation change
  • cb3c87b deps: bump github.com/pkg/errors
  • f635afd Adjust etcdraft error assertions for go 1.15
  • 5f19a00 Replace test cert fixtures with generated certs
  • aa7ad4f Set SKI, support multi hosts, add Signer to CA
  • 684e255 Fix typos in a “Developing Applications” doc
  • 358cba7 Update AZP Service Connection Name
  • 913d2ab Prepare for next release v2.2.3 (#2347)
  • eb2b1ea Add peer log message for failure to invoke chaincode (#2339)
  • 0583c22 Add test newtork download instructions to create a channel tutorial
  • bebb75f v2.2.2 release commit
  • a80c772 Add release notes for v2.2.2 (#2232)
  • 1de0825 Fix the issue of Nil/Zero-length-byte-array value (#2310)
  • e5ecdef Remove system channel from Test Network tutorial
  • c25eb86 [FAB-15648] document update: Non-TLS orderer with etcdraft usage (#1678)
  • a861c00 cherry pick test network doc chaincode deployment fix
  • 10c7839 Remove unreachable and unnecessary code in gossip membership (#2295)
  • 6805515 Orderer deployment tutorial update
  • fba5d90 [doc] fix broken link
  • 48bad48 [FAB-18170] Endorsement policy page discusses NodeSDK
  • ee8fcfc [FAB-18392] Clarify scope and limitations of test network
  • 90326b8 [FAB-18252] Documentation should reference Java chaincode support
  • 813be7f Remove anchor peers from configtx.yaml tutorial (#2257)
  • 11526cf Cherry pick org3 edits to release-2.2 branch (#2256)
  • 5953056 Split command in “add an org to network” tutorial
  • 91d9621 Add more details to logging specification examples
  • 7b1dbf1 Update image filter used by integration tests
  • 2a8d96c Remove Short Names and Replace With Full Path in Fabric
  • b2a5aec Check correct error
  • 73b39dc [FAB-18378] Log warning when peer is lagging behind and cannot catch up
  • d5d9965 [FAB-17039] Skip retrieving pvtdata from transient store when txid is missing (#2183) (#2201)
  • 3496dfc [FAB-17954] Document CouchDB JSON determinism (#2187)
  • 26cbec6 [FAB-18323] CherryPick: remove ephemeral from BCCSP SW options (#1553)
  • db9a56f Fixes Hardened to Hardware
  • a381654 remove repeated the
  • bbaa5b8 update private-data sample instruction for Asset owner string
  • 82b4566 Remove reference to first-network
  • 0a1fc23 [FAB-17727] Log warning if system channel has no consortium members (#2149)
  • 935a5c2 Deploy production ordering service doc
  • c928359 Add release note for RSA CA changes
  • 50ca5d4 Add integration test for MSPs with RSA CA certs
  • b3646e5 Restore RSA support for x509 public key import
  • 4026413 Add check for invalid key before hitting couchdb (#2133) (#2135)
  • b8a095f Add persistent volume note to peer deploy guide
  • bf2ebb6 [FAB-18298] Default cluster cert and key (#2119)
  • cae9a63 Update Go to 1.14.12
  • b247ed4 Revert "Allow BCCSP config to be set using env var (#1900)"
  • d1b4524 Update Jira instructions in contributing guide
  • d1730da Cherry pick [FAB-18290] Add channel name to pvtdata reconciler log msgs (#2091)
  • 99c2d12 Deduplicate orderer server TLS root CAs
  • 1e15b64 Log TLS handshake duration
  • 9c5b283 FAB-18244 single node catches up with snapshot (#1964) (#2021)
  • 09234c0 Remove common name from private data doc
  • 5a37306 Fixed TLS certs validation for consenters (release-2.2) (#2005) [ #1888 ]
  • 6f3ad12 [FAB-18270] Disable debug of CouchDB response body
  • 4d40d65 Peer deployment guide
  • 70c41c1 Update help text in test net tutorial
  • 8930c8c Fix Node OU error message
  • ab7104a Update release docs
  • 4a63642 Cherry pick private data tutorial rebase
  • e36ca29 Add Troubleshooting topic to Test Network for Docker Desktop setting
  • e05c443 Allow tick interval override via orderer.yaml
  • 32cb396 Fix chaincode lifecycle tutorial invoke
  • ceb23df Always Finalize the PKCS11 FindObject Operation
  • 2d59f18 Corrected to capitalized function names.
  • 6a370f7 Fix table width issue
  • f2e9e6e Allow BCCSP config to be set using env var (#1900)
  • 6bd0699 Exercise a full end-to-end flow with PKCS11 (#1717)
  • 0b3b95f removed unused variable
  • bf0b300 [FAB-17129] Configure peer and orderer to use PKCS#11 as BCCSP in integration test
  • 8407bc8 Prepare for next release v2.2.2
  • 74ac27c Add two and three digit publishing
  • 344fda6 Release commit for v2.2.1
  • bebb5d8 Cherry pick secured asset transfer tutorial to 2.2
  • ba9eaff [FAB-18041] Add Node.js to CC as external service
  • 107a867 Remove No Longer Relevant Release Note
  • 99a01b2 Update release notes with FAB-18250
  • 7b7ad6b Fix missing word
  • f9f3caf Add change in documentation to explain how to add collaborators in translation
  • 61c05b8 [FAB-18250] Check Error Before Returning Session to Pool (#1937)
  • 765bb73 Remove escc and vscc from list of system chaincodes
  • 9906643 Update v2.2.1 release notes with latest fixes
  • c5cf627 Fix empty address in peer CLI ClientWait log
  • 75046cf Remove GetSessionInfo Call
  • 2e4527b Bug Fix: Saving big payloads by cache CouchDB (#1909)
  • fe684f8 Fix flakey raft/cft integration test
  • e2fa653 Add release notes for v2.2.1
  • 6b1ac6f [FAB-18237] always update stateInfo message upon chaincode update
  • f32cb81 Bugfix in collection config history mgr (#1904)
  • 3ee47a7 fix function name typo in store private data command
  • ffcbf25 Clarify tlsHandshakeTimeShift CLI help text (#1894)
  • 673c364 Correct the explanation for signcerts in Membership section
  • 68d13ed Update write_first_app.rst
  • dc8660b Regenerate peer CLI docs
  • 6c9abf9 Peer CLI communicate with orderers with expired TLS certs (#1863)
  • 6f76408 Bump fabric-config dep to 0.0.7
  • c5c1105 address review comments (#1890) (#1893)
  • a5a6acd pass unreconciled missing pvtdata to pvtdata store (backport to release-2.2) (#1886)
  • ee2bc1b pass unreconciled missing data info to ledger from reconciler (#1797)
  • bc00758 construct unreconciled missing pvtdata (#1699)
  • e500de9 deprioritize unreconcilable missingPvtData (#1721)
  • 10cb4ea mv oldpvtdata commit to separate file
  • 7eaead1 refactor pvtdatastore
  • 659fe39 Adding notes for the usage of script during samples install
  • 2d895c4 [FAB-18208] Do not sign gossip message if membership is empty
  • 42da963 Convert Azure Pipeline To Stages (#1874)
  • 6a02559 Fix data race in gossip/discovery test
  • 7dcd9fd Minor doc fix to clear Sphinx local build error
  • 09764d8 fix missing err check in the block commit path (#1543)
  • cc6dc99 minor cleanup of pvtdatastore
  • 20f0697 reset leveldb batch after the commit
  • bebe131 Use directly leveldb batch (#1507)
  • 99332da [FAB-18194] Fix service discovery for legacy installed chaincodes
  • 0bd0ab2 Update RTD Placeholder
  • ef2632e [FAB-18191] Remove contents of leveldb dir instead of the dir itself when dropping dbs (#1828)
  • 8dae484 [FAB-18120] Adding DevMode integration test for new lifecycle.
  • 9da753a [FAB-18169] Add DevMode support in ChaincodeEndorsementInfoSource
  • 8bbedb8 Revert "[FAB-18183] Bump sphinx in requirements.txt to v1.8.5"
  • bf8f6fc [FAB-18188] Log orderer and peer cert expiration date upon startup (#1804)
  • 0e52fff [FAB-18171] Disregard certificate validity period in intra-orderer communication
  • 445b997 [FAB-18183] Bump sphinx in requirements.txt to v1.8.5
  • 2fc575c Cache bccsp keys generated from getECKey
  • 7b8de81 Add object handle cache to PKCS#11 bccsp provider
  • bf2f3fc Make ecPoint a method on impl
  • 2a22160 Make findKeyPairFromSKI a method on impl
  • 86a5c64 Replace loadLib with initialize method
  • 8a63732 Merge pkcs11/impl.go and pkcs11/pkcs11.go
  • f47ac7d Drain session pool before creating new sessions
  • 4fd232e Add instructions for how to use @Mergifyio backport command
  • 2d522b5 Update Add an Org to a Channel tutorial
  • 2813aba Updates to CouchDB doc tutorial
  • 4919fa7 Updated Using CouchDB to use asset transfer ledger queries smart contract
  • 64c7600 Update Channel Update (Adding an Org) tutorial
  • 7d6bb0f Update docs to replace fabcar references with basic asset transfer
  • 1450e3c Add links for Go and Java sample applications
  • b8b7af7 Refactor tutorial to ‘Writing Your First Chaincode’
  • 14ad1d7 [FAB-18109] Update peer chaincode invoke
  • e042657 Fix code snippet display (#1759)
  • 9783edb Write Your First App tutorial updates (#1757)
  • 9563518 Update “Deploying a smart contract” tutorial. (#1756)
  • 417bcd4 Update “Using the Fabric Test network” tutorial (#1755)
  • 0b598c4 Update Write Your First Application Tutorial (#1754)
  • c4e310d Remove Use of Manifest Tool
  • 5f16da8 Update RTD to Target Correct GH Release Branch
  • 6491f6a Fix and improve discovery TLS authentication comments in document

This list of changes was auto generated.

Related news

GHSA-72x4-cq6r-jp4p: Improper Input Validation in orderer/common/cluster consensus request

### Impact If a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. This fix checks for the malformed consensus request and returns an error to the consensus client. ### Patches Fixed in v2.2.7 and v2.4.5. ### Workarounds None, users must upgrade to v2.2.7 or v2.4.5. ### References https://github.com/hyperledger/fabric/releases/tag/v2.2.7 https://github.com/hyperledger/fabric/releases/tag/v2.4.5 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Hyperledger Fabric repository](https://github.com/hyperledger/fabric/issues) ### Credits Thank you to Haosheng Wang of OPPO ZIWU Security Lab for this disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907