Addressing a lot of security vulnerabilities in the Cadence release v1.2.14

[LauVietVan]

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

• Server version: v1.2.14

Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.14
To Reproduce
Is the issue reproducible?

• Yes

Steps to reproduce the behavior:

• Pull the latest image ubercadence/server:v1.2.14 from Dockerhub
• Scan the image with any vulnerability scanner

Scan results for: image ubercadence/server:v1.2.14 sha256:ccd93845dd68aa5a59eb761b28df3720b492926542a83bad9e21d6f7714344e1
Vulnerabilities
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                PACKAGE                 |              VERSION               |          STATUS          |  PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24790   | critical | 9.80 | net/netip                              | 1.22.3                             | fixed in 1.21.11, 1.22.4 | > 6 months  | < 1 hour   | The various Is methods (IsPrivate, IsLoopback,     |
|                  |          |      |                                        |                                    | > 6 months ago           |             |            | etc) did not work as expected for IPv4-mapped IPv6 |
|                  |          |      |                                        |                                    |                          |             |            | addresses, returning false for addresses which     |
|                  |          |      |                                        |                                    |                          |             |            | would...                                           |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0          | > 5 years   | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                        |                                    | > 5 years ago            |             |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                        |                                    |                          |             |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                        |                                    |                          |             |            | invalid input data.                                |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-9681    | medium   | 6.50 | curl                                   | 8.9.1-r1                           |                          | 29 days     | < 1 hour   | When curl is asked to use HSTS, the expiry time    |
|                  |          |      |                                        |                                    |                          |             |            | for a subdomain might overwrite a parent domain\'s |
|                  |          |      |                                        |                                    |                          |             |            | cache entry, making it end sooner or later than    |
|                  |          |      |                                        |                                    |                          |             |            | oth...                                             |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus             | v1.9.0                             | fixed in v1.9.3          | > 1 years   | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                        |                                    | > 1 years ago            |             |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                        |                                    |                          |             |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                        |                                    |                          |             |            | without new...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                   | 1.2.13-r1                          |                          | > 11 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                        |                                    |                          |             |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                        |                                    |                          |             |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                        |                                    |                          |             |            | (deflate.c)...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-45288   | medium   | 0.00 | golang.org/x/net/http2                 | v0.19.0                            | fixed in 0.23.0          | > 8 months  | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                        |                                    | > 8 months ago           |             |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                        |                                    |                          |             |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                        |                                    |                          |             |            | Maintaining H...                                   |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-9143    | low      | 0.00 | openssl                                | 3.1.7-r0                           | fixed in 3.1.7-r1        | 50 days     | < 1 hour   | Issue summary: Use of the low-level GF(2^m)        |
|                  |          |      |                                        |                                    | 46 days ago              |             |            | elliptic curve APIs with untrusted explicit values |
|                  |          |      |                                        |                                    |                          |             |            | for the field polynomial can lead to out-of-bounds |
|                  |          |      |                                        |                                    |                          |             |            | memo...                                            |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.14: total - 7, critical - 1, high - 1, medium - 4, low - 1
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.14: total - 2, critical - 0, high - 2, medium - 0, low - 0

Expected behavior
No more CVEs found.

Screenshots

Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.

[thle40]

latest scan has reported the new CVE for this version
CVE-2024-24786 | google.golang.org/protobuf/internal/encoding/json v1.31.0