CVEs and SBOM for Gerrit
mike...@aol.com
Here is the body of the email that I received.
You are receiving this email in connection with the vulnerabilities CVE-2023-4863, CVE-2023-5129, & CVE-2023-5217 impacting libwebp, libvpx, Chromium (and others implementing them in any form) which have been assessed as having a critical risk rating.
Google assigned CVE-2023-4863, CVE-2023-5129, & CVE-2023-5217 to libwebp, Chromium, and libvpx. The security vulnerabilities were discovered after being leveraged in zero-day attacks, discovered by citizen labs. The flaw Initially assigned by Google as a Chromium bug and tracked as CVE-2023-4863, was found to be an issue in the open-source WebM (WebP) project, thus affecting the libwebp library, and it’s derivatives, used to encode and decode images in the WebP format. CVE-2023-5129 was rejected by MITRE (top root CNA) due to overlaps between vulnerabilities which require the root entity to be fixed as one of the considerations in assigning CVEs, resulting in the CVE assignment being rejected as a duplicate.
CVE-2023-5217 was also assigned to libvpx for a related, but unique issue, affecting VP8 & VP9 video codec processing.
The vulnerabilities enable a heap buffer overflow that could allow a remote attacker to achieve arbitrary code execution and/or denial of service scenarios. With active exploits observed in the wild and patches going public that can be reverse engineered to aid in additional exploit development opportunities, publicly available PoCs have been published, causing investigation and remediation efforts to be aggressively pursued.
Sven Selberg
Hello,My company is asking for us to provide a SBOM for Gerrit as our security teams want to know if Gerrit is affected by any of the CVEs as mentioned in this communication below.Could our maintainers please publish a statement to the Gerrit website that I can reference?
Related to SBOM generation support in bazel (Gerrit's build system):
han...@google.com
https://gerrit-review.googlesource.com/Documentation/licenses.html
(look at the docs for your version for more details).
Gerrit is pure Java. VPX / WebM are video encoding libraries written
in C++, so I don't think there can be an issue.
Sven Selberg
On Wednesday, October 11, 2023 at 3:24:35 PM UTC+2 mike...@aol.com wrote:Hello,My company is asking for us to provide a SBOM for Gerrit as our security teams want to know if Gerrit is affected by any of the CVEs as mentioned in this communication below.Could our maintainers please publish a statement to the Gerrit website that I can reference?SBOM + CVE for Gerrit should become a more and more frequent request.
Related to SBOM generation support in bazel (Gerrit's build system):
mike...@aol.com
Sven Selberg
Thank you all. I appreciate all the answers.
aiuto, that was the main driver for SBOM generation support in Bazel has left the bazelbuild team and this seems to have halted progress.
https://github.com/bazelbuild/bazel/issues/16331 - issue for creating SBOM