Agoric-upgrade-14 security bulletin

:shield:Upgrade-14 Security Bulletin

This bulletin highlights security improvements in the recent Agoric upgrade, agoric-upgrade-14.

To summarize, a large component of upgrade-14 is the incremental major upgrade of the interchain stack. Many of these upgrades address vulnerabilities found in earlier versions.

CometBFT

Upgraded from 0.34.27 to 0.34.30, which included the following security fixes (from oldest to newest):

:white_check_mark: #557: Fix(merkle): broken error handling in ValueOp (VSA-2022-100)

  • This is a proactive fix to an issue where merkle proof error handling could allow an attacker to forge membership proofs for arbitrary key-value pairs.
  • Instead of allowing verification of Merkle Proofs against empty trees, the module now errors as expected.
  • Fixed in v0.34.28.

:white_check_mark: #788: Struct Client exposes sensitive data (backport #784)

  • This is a low severity issue where RPC client credentials were accidentally logged.
  • Fixed in v0.34.29.

:white_check_mark: #794: Unsafe int cast in kill command (backport #783)

  • This is a low severity issue where an unsafe integer cast could result in the kill command killing the wrong process.
  • Fixed in v0.34.29.

:white_check_mark: #863: Recursive call after rename to (*PeerState).MarshalJSON

  • This is a low severity issue where a node configured to debug log level will halt due to a double lock when attempting to log peer state.
  • Fixed in v0.34.29.

:white_check_mark: #890: Prevent a transaction to appear twice in the mempool

  • This is a low severity issue where transactions could appear twice in the mempool when the cache overflows.
  • Fixed in v0.34.29.

Cosmos-SDK

Upgraded from 0.45.16 to 0.46.16. There are no notable new security fixes as we applied patches (such as dragonberry and barberry) for all known security issues.

Ibc-go

Upgraded from 4.5.1 to 6.2.1. No notable security fixes.


For a full list of changes that include non-security fixes, see the agoric-upgrade-14 release notes.

If you need to get in touch with the Agoric security team, do not hesitate to email us at security@agoric.com. Friendly reminder that we have a bug bounty and reward vulnerabilities reported to us via HackerOne.

2 Likes