Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36023: Release v2.4.6 · hyperledger/fabric

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6.

CVE
#ios#mac#windows#ubuntu#apache#js#git#perl#aws#docker#jira#ssl

v2.4.6 Release Notes - August 8, 2022****Fixes

orderer - Fix active nodes metric

Fix active nodes metrics for etcdraft ordering service when a node is evicted.

peer - Handle malformed gateway request

If a gateway client sends a malformed request to a peer it may crash the peer node.
This fix checks for the malformed request and returns an error to the gateway client.

Improvements

Make chaincode-as-a-service (ccaas) builder available in all release distributions

The chaincode-as-a-service (ccaas) builder executables for build, detect, and release are now available in the Fabric release tar at builders/ccaas/bin.

Dependencies

Fabric v2.4.6 has been tested with the following dependencies:

  • Go 1.18.2
  • CouchDB v3.2.2

Fabric docker images on dockerhub utilize Alpine 3.16.

Deprecations (existing)

Ordering service system channel is deprecated

v2.3 introduced the ability to manage an ordering service without a system channel.
Managing an ordering service without a system channel has privacy, scalability,
and operational benefits. The use of a system channel is deprecated and may be removed in a future release.
For information about removal of the system channel, see the Create a channel without system channel documentation.

FAB-15754: The ‘Solo’ consensus type is deprecated.

The ‘Solo’ consensus type has always been marked non-production and should be in
use only in test environments, however for compatibility it is still available,
but may be removed entirely in a future release.

FAB-16408: The ‘Kafka’ consensus type is deprecated.

The ‘Raft’ consensus type was introduced in v1.4.1 and has become the preferred
production consensus type. There is a documented and tested migration path from
Kafka to Raft, and existing users should migrate to the newer Raft consensus type.
For compatibility with existing deployments, Kafka is still supported,
but may be removed entirely in a future release.
Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.

Fabric CouchDB image is deprecated

v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.
If prior versions are utilized, a Warning will appear in peer log.
Note that CouchDB 3.1.0 requires that an admin username and password be set,
while this was optional in CouchDB v2.x. See the
Fabric CouchDB documentation
for configuration details.
Also note that CouchDB 3.1.0 default max_document_size is reduced to 8MB. Set a higher value if needed in your environment.
Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.
Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.

FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.

Utilize the new ‘OrdererEndpoints’ stanza within the channel configuration of an organization instead.
Configuring orderer endpoints at the organization level accommodates
scenarios where orderers are run by different organizations. Using
this configuration ensures that only the TLS CA certificates of that organization
are used for orderer communications, in contrast to the global channel level endpoints which
would cause an aggregation of all orderer TLS CA certificates across
all orderer organizations to be used for orderer communications.

FAB-17428: Support for configtxgen flag --outputAnchorPeersUpdate is deprecated.

The --outputAnchorPeersUpdate mechanism for updating anchor peers has always had
limitations (for instance, it only works the first time anchor peers are updated).
Instead, anchor peer updates should be performed through the normal config update flow.

FAB-15406: The fabric-tools docker image is deprecated

The fabric-tools docker image will not be published in future Fabric releases.
Instead of using the fabric-tools docker image, users should utilize the
published Fabric binaries. The Fabric binaries can be used to make client calls
to Fabric runtime components, regardless of where the Fabric components are running.

FAB-15317: Block dissemination via gossip is deprecated

Block dissemination via gossip is deprecated and may be removed in a future release.
Fabric peers can be configured to receive blocks directly from an ordering service
node and not gossip blocks by using the following configuration:

peer.gossip.orgLeader: true
peer.gossip.useLeaderElection: false
peer.gossip.state.enabled: false
peer.deliveryclient.blockGossipEnabled: false

FAB-15061: Legacy chaincode lifecycle is deprecated

The legacy chaincode lifecycle from v1.x is deprecated and will be removed
in a future release. To prepare for the eventual removal, utilize the v2.x
chaincode lifecycle instead, by enabling V2_0 application capability on all
channels, and redeploying all chaincodes using the v2.x lifecycle. The new
chaincode lifecycle provides a more flexible and robust governance model
for chaincodes. For more details see the
documentation for enabling the new lifecycle.

Changes:

  • 8359607 Fix binary package creation
  • c9c60fd Release commit for v2.4.6.
  • 468332c Prevent peer from failure on malformed proposal
  • 7c12fa6 Extra checks for invalid args in gateway api
  • 84e8b3b fix path for make dir CCAAS Builders
  • eb6b172 Add -buildvcs=false for ccaasbuilder (#3556) [ #3315 ]
  • aa2aaa6 CCAAS Builders
  • 0d584c4 Fixed active nodes metrics for etcdraft when a node is evicted. Instead of being frozen we set it to 0 once halt is called. Tests. (#3536)
  • 7e2a6b9 Release commit for v2.4.5 (#3505)
  • 0f18359 Check if inner consensus message is missing

See More

  • 1473eca Release commit for v2.4.4 (#3487)
  • 6f4282b Fix gossip unit test flake (#3215)
  • a914ec3 Bump Alpine to 3.16 (release-2.4) (#3472)
  • 8ffd334 Locate correct block number for transaction ID in ChaincodeEvents (#3289)
  • f64eea2 Refactor of ChaincodeEvents service implementation to support resume (#3283)
  • 02d63c3 Add -buildvcs=false for building binaries
  • 60638b5 Improved gateway error for transient data failure [ #3328 ]
  • a6947fa Use any peer to evaluate system chaincode transactions (#3447)
  • 135c268 Improve response mismatch logging
  • 29fea4f Log proposal response differences (backport #3420)
  • 4c6ef91 Bump CouchDB to 3.2.2 (#3369)
  • c8f83e4 caas review comments
  • 3c2c2f8 no mdash char supported
  • 24e6f34 new caas page
  • 6588ed2 Bump Go to 1.18.2 (#3423)
  • e5ad0ef Update chaincode language parameter name
  • ffbd37b Fix hyperlink
  • 566a1a6 Fix warning log printing
  • ae316aa Properly handle concurrent building of chaincode packages
  • 37cca19 Update cc_service.md (#3355) (#3366)
  • 1c97ab1 Node 16 and v1.4 libraries (#3357)
  • f6e8336 certs mgmt guide (#3307)
  • f614fb5 Additional TLS troubleshooting information (#3346)
  • 1fb499a Handle empty policies when traversing the policy tree in discovery policy analysis (#3335)
  • 0396bf9 Ignore channel double creation during replication. [ #2931 ]
  • 458345a Add in the CCAAS builders to the tgz package
  • 9711fb5 Release commit for v2.4.3
  • 47dd17a Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3252)
  • c89ba60 Gateway support for mutual TLS networks (#3235)
  • 602f4c6 remove commercial paper references
  • 80dbf8e Add Intermediate CA certs to dial options (#3225) (#3226)
  • fad7f69 Release commit for v2.4.2
  • 0e9cdb2 Address windows platform in documentation [ #2993 ]
  • 63a7779 Bump Go to 1.17.5 (release-2.4) (#3182) [ #3114 ]
  • e24c332 Refactor gateway Endorse() method
  • e7cb726 Close connections to stale ordering nodes
  • e1ed78f - Fix failure to generate all possible combinations (#3132)
  • af5d5df v2.4.1 release commit
  • ef5ac00 Update ‘Running a Fabric Application’ tutorial for Fabric Gateway
  • 3580b4e Reduce CPU&memory cost of collecting endorsements
  • fbfdc1d Enable gateway concurrency limits
  • 1f87709 Remove discovery.acl principal warning [ #3006 ]
  • e0bb139 Adding a dedicated external builder
  • 654a02b Fix channel config callback in gateway
  • abf5d30 Final peer for gateway (#3091) (#3095)
  • 2d8d7f4 Randomize endorsement layouts
  • 29d1e21 Network and Orderers for gateway
  • a95a8e7 latest PR review comments
  • 41b6586 v2.4.0 release commit (#3078)
  • 4f4e096 Update v2.4.0 release notes
  • f15b4ee Add command reference doc for ledgerutil
  • 45707ac Add read version to the example in read-write set
  • b0de139 Add logging for identity, policy, and signature troubleshooting
  • 1266978 Clarify v2.x upgrade docs (#3083)
  • 6a7cdd0 Refine Gateway gRPC error status codes (#3075)
  • 40fea67 goimports updates to prepare for Go 1.17 (#3070)
  • c14239c Add gateway ref to private data doc topic
  • a6a9fde EndorsementTimeout should apply to each endorser
  • bd1aaae Reference current application APIs in peer event service docs
  • 91951d0 Log the transactionID in all log messages
  • 2abb074 Remove redundant SDK documentation page
  • a1c13d8 Updates to endorser and gateway logging
  • 34dcb8d Update protobuf definitions
  • 5c2e358 Enhance gateway error logic
  • 5014709 docs: fixing some typos
  • dee44d9 Don’t use EndorseResponse.Result field (#3051)
  • c463b32 Fix CI script syntax
  • 44faa13 Enable unaware threshold signature endorsement
  • 8a4c7f3 Update Contract and Application API docs for Fabric Gateway (#3048)
  • 91d7b7c Updates to Gateway doc topic (#3047)
  • 6a415ee collection singular
  • e3abd66 use member of a collection
  • da935d7 Gateway overview edited
  • 9c5e1df Clarify ProcessProposal error handling (#3044)
  • f089b24 Reword evaluate() error message
  • 688d4d2 Add extra info to error message
  • 6926cc1 no gateway via cli - tutorials (#3037)
  • cdc342e Add gateway architecture page to docs
  • 534b1c1 Use correct timeout option (#3032)
  • d67d421 Show what do not match (#3012)
  • 5113aa9 Better gRPC error on context error from CommitStatus service
  • 62fb4c0 Update transaction flow doc for peer gateway
  • 40f90c1 Fix typo in comment (#3016)
  • 45f4dcb Add chaincode err message to Evaluate err message
  • 42c99e0 Add documents for new options of calculatepackageid
  • b1c9d43 Add -O json option to calculatepackageid
  • ee18f9d Return package ID without any prefix by default for calculatepackageid
  • 843ff14 Update Sphinx to v1.8.2
  • 70ace58 Add integration tests for calculatepackageid command
  • abdb330 Add explanation of stringArray
  • 89da86e Reword duplicate error message
  • d8ee1b4 Don’t close connection if already closing
  • 31bc120 Retry logic for evaluate
  • 7ebb704 Add documents for calculatepackageid command
  • 3e433d4 Add calculatepackageid command
  • 9ef778a Move to better IsAbs Implementation (#3000)
  • 0f08904 Gateway endorsement retry logic
  • b4c2731 fix windows SyncDir issue
  • c90d50a Bump babel from 2.3.4 to 2.9.1 in /docs
  • 0f904bb Adjusted from review comments
  • 3914549 install-fabric.sh script - updated version of bootstrap.
  • 3574d8b Check the package name on core/ledger/kvledger UT (#2987)
  • 2ede756 Extra info in log message (#2982)
  • 755ba79 set TestBlockPullerBadBlocks pullblock wait time (#2975)
  • b3cf25e Improve health checker docs
  • 6897c80 Update developer environment (#2977)
  • 21e4914 Rename EndpointError to ErrorDetail (#2974)
  • b52f776 Add clarifications to dev env versions in doc
  • 7d51df1 docs: Use html_style property instead of add_stylesheet()
  • 6656f72 Evaluate() error response for node chaincode
  • 0625b10 Rename persistent_msgs to persistance to avoid protobuf conflict
  • c8a6c43 Sort chaincode interests in tests (#2966)
  • 7124587 Add unittest of writting multiple blocks for BlockWriter
  • d0b32ed Add unittest of writting config block synchronously for BlockWriter
  • 295853b Write config blocks synchronously in Orderer
  • 9636332 Refactor idemix implementation (#2955)
  • 4b9ef57 Fix the project status to ‘Graduated’ instead of ‘Active’
  • de9a64d docs: Add the path of softhsm2.conf for macOS
  • e66c951 Improve error messages when no endorsers found (#2963)
  • c62034e Add Information about AWS HSM
  • 0d13aa6 Update links for Jira to GitHub issue transition in README
  • cf341ee Improve an error message in InstallChaincode
  • 3a93662 Randomize selection of orderer nodes with retry (#2951)
  • 210d20f Improve wording of log message
  • 83cabf2 correct logger labels after cloning block puller.
  • f97177c Cache channel orderers in registry
  • f9027a4 docs: Don’t apply the syntax highlighting of python
  • 70ff46a Unit test flake when rpc server stream not closed (#2935)
  • 0545ac8 Fixed Found Typos
  • aa8d06b Do not create new chain of type etcdraft.Chain if such exists in map of chains. This can happen when in Raft protocol a channel was created, but not marked as done in WAL logs, so at orderer startup it will try to rerun creation tx and panic because the channel already exists.
  • 8999ce7 Apply the style only the key in readwrite.rst (#2933)
  • 1243e99 Fix the result message in test_network.md [ #394 ]
  • 8767ced Fix broken links for international workgroups (#2920)
  • 85a67f8 Implement DisregardNamespacePolicy for gateway
  • 3594a3b Update docs for Jira to GitHub issue transition
  • a395f3b updated chaincode4ade.rst(“Writing your first chaincode”) showing good practise on how to achieve determinism in json
  • b735309 Updates in main for v2.3.3
  • e55a388 Minor code clean-up in Gateway ChaincodeEvents handling (#2899)
  • beb8f5d Implement chaincode event replay for Fabric Gateway (#2896)
  • dd539d3 Refactor ChaincodeEvents to use ledger iterator (#2891)
  • b1d7538 Private Data Comparison [ #2818 ]
  • cbe7d44 Nominate Andrew Coleman as Fabric maintainer
  • b563b08 Fixed a typo in private_data_tutorial
  • 4875635 Update alpine base image to 3.14 (#2881)
  • 7cb82ee Clean up Go modules (main) (#2878)
  • aa76c70 [Document] typo fix
  • 6ec8d72 Stop spamming for wait channel acquirement in orderer integration test
  • f62e877 Clarify bootstrap.sh message when fabric-samples tag not found
  • 868166d Gateway integration tests - adv. endorsement
  • 9788c9b Early Differences Flag
  • 394fb86 Prepare for next release v2.4.0
  • b0e0c4f fix typo
  • 1fbdc18 Update Go to v1.16.7
  • 38348fb [FAB-11334] - Adds a functional / integration test for peer unjoin channel
  • bc1898e Gateway Evaluate() with transient data
  • 540fff8 FAB18529 added nil check in channel header parsing
  • 36884f0 Add documentation for AbsoluteMaxBytes
  • 98973a8 Options for GRPC message size configurable
  • b64d362 Update bootstrap.sh download script for Fabric CA v1.5.1
  • a330b66 Add release notes for v2.4.0-beta release
  • dac896a Add slash command for invalid issue
  • 474badd Better error messages from Gateway
  • 497a177 Fix FAB-18528: remove panic in ifConfig func (#2828)
  • c41ffff Fix small doc errors (#2816)
  • 99d2e32 Output File Exists Error
  • ea48474 [FAB-11334] Adds a ‘peer node unjoin’ CLI entrypoint to unjoin a peer from a channel (#2769)
  • 87ea070 Gateway enabled by default
  • 5331bbc FAB-18067 Discovery support Implicit Collections (#2784)
  • 240cf0e Merge and enhance coding guidelines across github and wiki
  • bb8bada [FAB-11334] Adds a function to purge a ledger’s transient storage (#2769)
  • f662d98 FABGW-25 Endorse using generated ChaincodeInterest (#2773)
  • 71037f3 Update CHANGELOG.md
  • 95fb683 Hardening raft catchup IT
  • 463271e FAB 18365 evictionsuspicion failing when osn failed (#2780)
  • fe71474 Additional documentation for implicit private data collections
  • fa3960b FABGW-25 Test for system chaincode (#2771) [ #2767 ]
  • 52b12dc Update private data docs - remove SDK reference (#2770)
  • 26ec54a FABGW-25 Build ChaincodeInterest in TX simulator (#2767)
  • e5e623d [FAB-18527] Discovery supports DisregardNamespacePolicy hint from client (#2768)
  • 9a922fd [FAB-18527] Discovery supports state based endorsement queries (#2764)
  • 84c1270 [FABGW-25] Move chaincode interest to proposal response proto (#2763)
  • ffe7d36 [FAB-18521] Fixing flaky IT, send remove tx to another node (#2761) [ #2748 ]
  • 44ab2bf [FAB-18521] Replicate block metadata with block while OSN catching up (#2748)
  • 2c69863 Update test network tutorial for new profile
  • e4b66f9 Update boostrap.sh for test network
  • cf263b0 [FAB-11334] Scrubs partially constructed/deleted ledgers at peer init (#2754)
  • 62cd59c fixed peer documents
  • f7f77af fixed peer sample config
  • fda47c5 Renamed Ledger Binary To Ledgerutil (#2746)
  • 9736485 [FAB-11334] Adds a new ‘peer node unjoin’ feature (#2732)
  • 73c46a1 Updated enrollUser function in write_first_app Doc (#2713)
  • 965664f Update docs to clarify that an implicit collection can not have an index
  • 1249da2 [FAB-18509] Stop panic of collection index path is wrong (#2726)
  • 9c3d459 [FAB-18508] ledger utility always outputs txNum (#2724)
  • 4c4e58c File Location Flag (#2709)
  • b5e0d27 Added a possibility to override chaincode.externalBuilders via env variable (#2643)
  • 1f1c303 fix typo
  • b034225 [Doc-Update] + What is a commercial paper section
  • 1ee03b3 Add function to delete the ledger data for a channel (#2722)
  • 7151302 Fixed grammatical errors
  • 4e2f86e Fix a typo in CouchDB tutorial
  • 3a75b65 Use protoc-gen-go 1.3.3 for generating protos [ #2113 ]
  • 8ce450e Fix typo
  • 4422a19 Fix peerchaincode.md as well
  • 4e67cbe Add explanation of --ctor JSON string
  • cdd5a04 Compare Snapshots Utility
  • d80cd2a Clarify Verify behaviour in PKCS11 Impl
  • d55dc8e fix typo (#2695)
  • 8689771 Retire Will Lahti as maintainer (#2704)
  • 16259ed Mandate TLS 1.2 or higher in fabhttp package
  • b5a4fe9 Address PR comments in Gateway integration tests
  • 52c09b6 Clarify orderers seeing the transaction data
  • aa0b33f Retire Brett Logan as maintainer
  • 00910ba Handle missing endpoints from discovery
  • dc09b6e Cherry pick deploy CC fixes to main branch
  • fd218eb Clarify “identity expired” error messages (#2685)
  • d9e850d Fix spelling mistakes in the Github Contributions page
  • 3c7fa86 [FAB-18484] Return transaction forwarding result back to the client synchronously
  • 6fbca49 Update Artem Barger email address (#2671)
  • c81f265 Link fixes detailed in FAB-18494
  • 266497f Typo fix in peer deployment guide in main (#2660)
  • b4cd030 Link fixes in create channel tutorial (#2661)
  • dde41d9 Fix link in orderer deployment guide in main
  • b2f7292 Improve mvcc log warnings (#2649)
  • 04796e6 Use protobuf Getters to avoid nil reference (#2646)
  • 07808a0 Clarify doc for readset validations (#2647)
  • a8dbb68 FABGW-20 Implement TargetOrgs for Evaluate() (#2642)
  • 85ae90c Added RetrieveBlockByNumber into blockledger (#2635)
  • 1ad4422 Update secured_private_asset_transfer_tutorial.md
  • 1f89be9 FABGW-21: Realtime implementation of ChaincodeEvents service (#2604)
  • 34a4186 Fix minor code comment
  • 9170fea Return block number along with validation code (#2614)
  • e8e39e6 [FAB-18479] Log error if orderer can’t forward SubmitRequest to Raft leader
  • f1fc499 fix duplicate entry in code snippet
  • 17dc11c Update Building docs to reflect UI changes
  • 0334d52 replace brew cask install --appdir=’/Applications’ docker with brew install --cask docker
  • 4e201af Optionally disable gossip block forwarding (#2606)
  • b4efe85 FABGW-20 Specify endorsing organizations (#2578)
  • 6f0bef1 Bump vmImage to Ubuntu-20.04
  • f8070ec Maintain order of transactions in the commit notification

This list of changes was auto generated.

Related news

GHSA-qj6r-fhrc-jj5r: Remote denial of service in Hyperledger Fabric Gateway

### Impact If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. This fix checks for the malformed gateway request and returns an error to the gateway client. ### Patches Fixed in v2.4.6. ### Workarounds None, users must upgrade to v2.4.6. ### References https://github.com/hyperledger/fabric/releases/tag/v2.4.6 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Fabric](https://github.com/hyperledger/fabric) ### Credits Thank you to Haosheng Wang of OPPO ZIWU Security Lab for this disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907