{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84454?format=json","vulnerability_id":"VCID-5xz7-8sx7-wbhw","summary":"Panic in wasmvm can slow down block production\n# CWA-2024-008\n\n**Severity**\n\nMedium (Moderate + Likely)[^1]\n\n**Affected versions:**\n\n- wasmvm >= 2.1.0, < 2.1.3\n- wasmvm >= 2.0.0, < 2.0.4\n- wasmvm < 1.5.5\n- cosmwasm-vm >= 2.1.0, < 2.1.4\n- cosmwasm-vm >= 2.0.0, < 2.0.7\n- cosmwasm-vm < 1.5.8\n\n**Patched versions:**\n\n- wasmvm 1.5.5, 2.0.4, 2.1.3\n- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4\n\n## Description of the bug\n\n(Blank for now. We'll add more detail once chains had a chance to upgrade.)\n\n## Patch\n\n- 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd\n- 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4\n- 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb\n\n## Applying the patch\n\nThe patch will be shipped in releases of wasmvm. You can update more or less as follows:\n\n1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm`\n2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit.\n3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly.\n4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3.\n5. Follow your regular practices to deploy chain upgrades.\n\nTo double check if the correct library version is loaded at runtime, use this query:\n`<appd> query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3.\n\nThe patch is consensus breaking and requires a coordinated upgrade.\n\n## Acknowledgement\n\nThis issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.\n\nIf you believe you have found a bug in the Interchain Stack or would like to contribute to the\nprogram by reporting a bug, please see <https://hackerone.com/cosmos>.\n\n## Timeline\n\n- 2024-08-22: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.\n- 2024-08-23: Confio security contributors confirm the report.\n- 2024-09-09: Confio developed the patch internally.\n- 2024-09-23: Patch is released.\n\n[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md","aliases":[{"alias":"GHSA-vmqh-5232-v43r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1175303?format=json","purl":"pkg:cargo/cosmwasm-vm@1.5.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/cosmwasm-vm@1.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/1175305?format=json","purl":"pkg:cargo/cosmwasm-vm@2.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/cosmwasm-vm@2.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/1175304?format=json","purl":"pkg:cargo/cosmwasm-vm@2.1.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/cosmwasm-vm@2.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/107592?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm@1.5.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm@1.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/107591?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm/v2@2.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm/v2@2.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/107590?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm/v2@2.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm/v2@2.1.3"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/513555?format=json","purl":"pkg:cargo/cosmwasm-vm@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rnx-419h-1qcq"},{"vulnerability":"VCID-5xz7-8sx7-wbhw"},{"vulnerability":"VCID-ws7v-hdu3-13ec"},{"vulnerability":"VCID-zxf6-zvad-6fbm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/cosmwasm-vm@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/513553?format=json","purl":"pkg:cargo/cosmwasm-vm@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rnx-419h-1qcq"},{"vulnerability":"VCID-5xz7-8sx7-wbhw"},{"vulnerability":"VCID-ws7v-hdu3-13ec"},{"vulnerability":"VCID-zxf6-zvad-6fbm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/cosmwasm-vm@2.1.0"}],"references":[{"reference_url":"https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-008.md","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-008.md"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4"},{"reference_url":"https://github.com/CosmWasm/wasmvm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/wasmvm"},{"reference_url":"https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-vmqh-5232-v43r","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-vmqh-5232-v43r"},{"reference_url":"https://github.com/advisories/GHSA-vmqh-5232-v43r","reference_id":"GHSA-vmqh-5232-v43r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vmqh-5232-v43r"}],"weaknesses":[],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5xz7-8sx7-wbhw"}