Hello to the team,
our IT noticed, after a routine checking of installed software components on the machines in our company, that both KNIME 4.6.4 (the version we are working with) and the Python Integration (Labs) (4.6.5 v202301252007) use a version of OpenSSL that contains a known vulnerability. They are very keen on fixing any such occurences in our system, and would like to know in which KNIME version and Python Integration version the following vulnerability is fixed:
Threat Encyclopedia | FortiGuard
CVE - CVE-2022-4203 (mitre.org)
Thank you for any information you can provide, so we know if there is a current version that fixes this.
Best regads,
Jan Schuppius
Hi Jan,
could you double-check whether this is an OS library? It may be possible to update that independently of KNIME (e.g. on Ubuntu with apt update/upgrade).
Kind regards
Marvin
1 Like
Good morning Marvin,
maybe it helps if I supply some additional details. I do NOT think this is an operating system library, as the files that out scanner found are here (this is a Windows machine we are talking about):
C:\PROGRAM FILES\KNIME\PLUGINS\ORG.KNIME.PYTHONSCRIPTING.CHANNEL.V1.BIN.WIN32.X86_64_4.6.0.V202207221021\ENV\LIBRARY\BIN
C:\PROGRAM FILES\KNIME\BUNDLING\ROOT\PKGS\OPENSSL-1.1.1Q-H8FFE710_0\LIBRARY\BIN
These files came with the KNIME and extension installations respectively.
Best regards,
Jan
Hi Jan,
thanks for following up. I missed the fact that our Python integration brings its own OpenSSL libraries along. Sorry for that.
We’ve updated the OpenSSL libraries in version 4.7.1.
Kind regards
Marvin
2 Likes
Hello Marvin, after installing the newest version of KNIME and all installed add-ins, our network security tool (Fortinet) STILL says that the version of OpenSSL used by KNIME contains the above-mentioned security vulnerability. As far as we can see, KNIME uses version 3.0.7, and the fix has been included in 3.0.8. Any ideas?
Hi Jan,
thanks for the update. I can confirm the distributed version is v3.0.7… I’ll check back with development and our security team and update you as soon as possible.
Kind regards
Marvin
From The CVE description (NVD - CVE-2022-4203):
The read buffer overrun might result in a crash which could lead to a denial of service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory.
Since we enable data processing / ETL in the first place, a denial of service attack wouldn’t be a special issue, as any user could build workflows that hog resources. Still, I have made our teams internally aware. At the very least, it would be nice to not have the vulnerability scanner trip up.
Kind regards
Marvin
1 Like
Thank you for the quick reply!
Hi Jan,
we will proceed to update the library again, though it won’t be ready in time for 4.7.2 (which is just around the corner). We are planning to release it with 4.7.3, but since the exploit isn’t really an issue given our setup (independent of whether the exploit can be triggered in the first place), we currently don’t plan to push forward the release due to this. I can’t provide a release date for the time being.
To avoid this in the future, we will include a CVE detection for Python components.
Thank you for bringing this up in the first place and apologies for any inconveniences caused.
Kind regards
Marvin
EDIT: The library is available in an updated version in KNIME Analytics Platform version 5.1.
2 Likes
Thank you for your speedy answers and letting us know how you will handle this.
Best regards from Hamburg,
Jan
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.