Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycTk3LW01cmMtcDNncM4ABCOg
CosmWasm VM Incorrect metering
CWA-2024-007
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
- wasmvm >= 2.1.0, < 2.1.3
- wasmvm >= 2.0.0, < 2.0.4
- wasmvm < 1.5.5
- cosmwasm-vm >= 2.1.0, < 2.1.4
- cosmwasm-vm >= 2.0.0, < 2.0.7
- cosmwasm-vm < 1.5.8
Patched versions:
- wasmvm 1.5.5, 2.0.4, 2.1.3
- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
- 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
- 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
- 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
- Check the current wasmvm version:
go list -m github.com/CosmWasm/wasmvm - Bump the
github.com/CosmWasm/wasmvmdependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are;go mod tidy; commit. - If you use the static libraries
libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly. - Check the updated wasmvm version:
go list -m github.com/CosmWasm/wasmvmand ensure you see 1.5.5, 2.0.4, 2.1.3. - Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinated upgrade.
Acknowledgement
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the
program by reporting a bug, please see https://hackerone.com/cosmos.
Timeline
- 2024-08-28: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
- 2024-08-30: Confio security contributors confirm the report.
- 2024-09-02: Confio developed the patch internally.
- 2024-09-23: Patch is released.
[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md
Permalink: https://github.com/advisories/GHSA-2q97-m5rc-p3gpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycTk3LW01cmMtcDNncM4ABCOg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 days ago
Updated: 7 days ago
Identifiers: GHSA-2q97-m5rc-p3gp
References:
- https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-2q97-m5rc-p3gp
- https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
- https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
- https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
- https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-007.md
- https://github.com/advisories/GHSA-2q97-m5rc-p3gp
Blast Radius: 0.0
Affected Packages
cargo:cosmwasm-vm
Dependent packages: 22Dependent repositories: 129
Downloads: 333,698 total
Affected Version Ranges: < 1.5.8, >= 2.0.0, < 2.0.7, >= 2.1.0, < 2.1.4
Fixed in: 1.5.8, 2.0.7, 2.1.4
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.16.7, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3
All unaffected versions: 1.5.8, 1.5.9, 2.0.7, 2.0.8, 2.1.4, 2.1.5
go:github.com/CosmWasm/wasmvm
Dependent packages: 921Dependent repositories: 336
Downloads:
Affected Version Ranges: < 1.5.5
Fixed in: 1.5.5
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.4, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.5, 0.16.6, 0.16.7, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4
All unaffected versions: 1.5.5, 1.5.6
go:github.com/CosmWasm/wasmvm/v2
Dependent packages: 13Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.0.4, >= 2.1.0, < 2.1.3
Fixed in: 2.0.4, 2.1.3
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2
All unaffected versions: 2.0.4, 2.0.5, 2.1.3, 2.1.4