Headline
CVE-2022-39199: Release v1.4.1 · codenotary/immudb
immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use server’s UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server. This issue has been patched in version 1.4.1. As a workaround, when initializing an immudb client object a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server.
Release notes
We’re pleased to announce new version of immudb: 1.4.1. This is a smaller maintenance release that fixes important issues discovered in the previous 1.4.0 release.
Important issues fixed
Along with this release, the go SDK for immudb comes with fixes to two security vulnerabilities (CVE-2022-36111 and CVE-2022-39199) that we’ve discovered through an internal security review. Those vulnerabilities only affect the client SDK that is part of the immudb release - for that reason make sure that the most recent go SDK version is used in your application.
More information about those vulnerabilities can be found in those adversaries:
- GHSA-672p-m5jq-mrh8
- GHSA-6cqj-6969-p57x
Small improvements
Besides important fixes, this release also comes with improved naming convention related to replication options and an option to reset admin password without knowledge of the previous password. Such password reset is helpful in case the admin password is lost and can also be used to ensure there’s a correct admin password set in cloud deployments such as Kubernetes.
Changelog****[v1.4.1] - 2022-11-16****Bug Fixes
- Change replication-related terms in codebase
- Change replication-related terms in tests
- cmd: Rename replication flags to follow consistent convention
- cmd/immudb: Better description of the --force-admin-password flag
- cmd/immudb: Fix description of the force-admin-password flag
- embedded/appendable: fsync parent directory
- embedded/appendable: fsync parent folder in remote appedable
- pkg: Rename replication-related fields in GRPC protocol
- pkg/client: Delay server identity validation
- pkg/client/cache: Add methods to validate server identity
- pkg/client/cache: Validate server’s identity
- pkg/server: Remove includeDeactivated flag when querying for users
- pkg/server/servertest: Add uuid to buffconn server
- pkg/server/servertest: Fix resetting grpc connection
- test/perf-test-suite: Avoid dumping immudb logo on perf test results file
- test/performance-test-suite: Ensure results are shown after proper is finished
- verification: Additional Linear proof consistency check
- verification: Recreate linear advance proofs for older servers
Changes
- pkg/server: Add logs for activities related to users
- ci: migrate deprecating set-output commands
- cmd/immudb: Allow resetting sysadmin password
- docs/security: Be less specific about package version in examples
- docs/security: Add resources for the linear-fake vulnerability
- embedded/appendable: sync directories
- embedded/store: Disable asynchronous AHT generation
- embedded/store: Remove AHT Wait Hub
- pkg/client: Document WithDisableIdentityCheck option
- pkg/client/cache: Describe serverIdentity parameter
- pkg/client/cache: Limit the hash part of the identity file name
- pkg/client/state: Cleanup mutex handling in StateService
- pkg/server: Warn if sysadmin user password was not reset
- pkg/server: Better warning for unchanged admin password
- test/performance-test-suite: Add summary to json output
Features
- ci: fix message and input
- ci: add runner name to mattermost message header
- ci: simplify results extraction
- ci: extract performance tests into separate workflow to be reused
- ci: add scheduled daily test runs and send results to Mattermost
- pkg/replication: Disable server’s identity check in internal replication
Downloads
Docker image
https://hub.docker.com/r/codenotary/immudb
immudb Binaries
File
SHA256
immudb-v1.4.1-darwin-amd64
120966d077c5ffca4bfd6745473a06c0ca219291adc49960108cc476e418cf5a
immudb-v1.4.1-darwin-arm64
d6469914115a58f9462c07b1d5aa0dbb1e777b80477d8baf8108bf51deabdd22
immudb-v1.4.1-freebsd-amd64
05a932c73bbb4305f6f7975a3bdc0f2198f8968776b16b84497584bb2742bc5a
immudb-v1.4.1-linux-amd64
a5ae370d6475026db7df5906ba037dc708b0a8bda52a0adf0d06c3dcdee587f1
immudb-v1.4.1-linux-amd64-fips
db4477eb54d0437b9b145dfa9f77b593fc3a149906b0c5cc1c4ed87301786298
immudb-v1.4.1-linux-amd64-static
7b2c31569a513e072cefbdc7cbcf7c36421516230bf388a5156d95a5f3034b02
immudb-v1.4.1-linux-arm64
3d5f8784bdf652d2c067885d19b330d28bf497459b59a9358c0774dbff1f4d6f
immudb-v1.4.1-linux-s390x
ee4efbcb850ab56da2fd3ed18226bd9808de404fd69ea425567952492e320e96
immudb-v1.4.1-windows-amd64.exe
707963320c94390ac9f9ce8d20d4f274baf636df789c4a65f3dc1a74bfd7f52c
immuclient Binaries
File
SHA256
immuclient-v1.4.1-darwin-amd64
076c4f474e8f57d59ec20016d5f445205b80d16c0a7aebe6ae0b1d07310c5360
immuclient-v1.4.1-darwin-arm64
41bfe74f900e7bbd9cc57b89d3111edf9faa3f5ff4204995e352f02c78fa3c53
immuclient-v1.4.1-freebsd-amd64
286c48668fd772464217f26cfc30772819175e61452d860d44ad6ec04c437c79
immuclient-v1.4.1-linux-amd64
3ab44ad6d956a7f4ecff2da08738227e63cd4816ef7047dc63f671c6536969b7
immuclient-v1.4.1-linux-amd64-fips
75cbdc3614cb345af53e127aaaf4e7633fde4710f1ce1f1191c12b1d7ce4ab0f
immuclient-v1.4.1-linux-amd64-static
1f33880078225f56b253e663fb5d6e8ef1927d4bc9019ad8ef40a1863d99be7e
immuclient-v1.4.1-linux-arm64
30e736810ab08f74e4dbd22b9ddb369b321dde1c65b35879a3ed164c97e5e8a0
immuclient-v1.4.1-linux-s390x
6fe337a5d14511eda8cad40d7ec4f6c483bf5b2811229678833286cfa373a7a0
immuclient-v1.4.1-windows-amd64.exe
6790a7dc306f3669cb824774b45c140c9331b6a83ae8fb10629a7c58c495405d
immuadmin Binaries
File
SHA256
immuadmin-v1.4.1-darwin-amd64
caf3308f916d43c79fc14c77c3452013f3580b4e7edfd0fe949219d945d3b245
immuadmin-v1.4.1-darwin-arm64
1a82fef2f16715591da9e74001a8db0d0838ce6e273cf08443e8261f89f6fedb
immuadmin-v1.4.1-freebsd-amd64
42679b08927dcbef84b18eac78391e78c29a5c817e9febf56bc18485ee39c5a5
immuadmin-v1.4.1-linux-amd64
24126f6699b3ae3fe18910c5a4fb45d996bc9237ebb92e91ee2916b8f8379b0c
immuadmin-v1.4.1-linux-amd64-fips
b5b457b179384a72a6486a5e82f16f8bfe449b467e31373627f94a736f7d7afb
immuadmin-v1.4.1-linux-amd64-static
e68a4fc4640082a67522c9a77f081ee513cc87732900b3f0dd644deda6a58843
immuadmin-v1.4.1-linux-arm64
9cc7d0283b4e7bd58c1daa39ec1c93c9bdaeb7818b11ac5ac88a8d91be3ba658
immuadmin-v1.4.1-linux-s390x
22408bc7d8e0cef8378fcff8b1079bfa574e0336e5ca77f77facf21c67e3f24e
immuadmin-v1.4.1-windows-amd64.exe
2fa628855a0c17aecb5cc675297a1bf217bbf595f40701ed740d6351279f7e2d
Related news
### Impact immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server. ### Patches The following Go SDK versions are not vulnerable | **SDK** | **Version** | |-------|------------| | [go](pkg.go.dev/github.com/codenotary/immudb/pkg/client) | 1.4.1 | ### Workarounds When initializing an immudb client object, a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server. ### For more information If you have any ques...
### Impact In certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. ### Detailed description immudb uses Merkle Tree enhanced with additional linear part to perform consistency proofs between two transactions. The linear part is built from the last leaf node of the Merkle Tree compensating for transactions that were not yet consumed by the Merkle Tree calculation. The Merkle Tree part is then used to perform proofs for things that are in transaction range covered by the Merkle Tree where the linear part is used to check those that are not yet in the Merkle Tree. Whe...