Addressing a lot of security vulnerabilities in the Cadence release v1.2.13

[sonpham96]

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

• Server version: v1.2.13

Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.13

To Reproduce
Is the issue reproducible?

• Yes

Steps to reproduce the behavior:

• Pull the latest image ubercadence/server:v1.2.13 from Dockerhub
• Scan the image with any vulnerability scanner

Scan results for: image ubercadence/server:v1.2.13 sha256:d490d7ad381715e6a28c3eb046ddeed6bf3dbf4620987336b91ed6f2cb778962
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |          STATUS          |  PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24790   | critical | 9.80 | net/netip                                         | 1.22.3                             | fixed in 1.21.11, 1.22.4 | > 4 months  | < 1 hour   | The various Is methods (IsPrivate, IsLoopback,     |
|                  |          |      |                                                   |                                    | > 4 months ago           |             |            | etc) did not work as expected for IPv4-mapped IPv6 |
|                  |          |      |                                                   |                                    |                          |             |            | addresses, returning false for addresses which     |
|                  |          |      |                                                   |                                    |                          |             |            | would...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0          | > 4 years   | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                                   |                                    | > 4 years ago            |             |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                                   |                                    |                          |             |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                                   |                                    |                          |             |            | invalid input data.                                |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                        | v1.9.0                             | fixed in v1.9.3          | > 1 years   | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                   |                                    | > 1 years ago            |             |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                   |                                    |                          |             |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                   |                                    |                          |             |            | without new...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                          | > 9 months  | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                   |                                    |                          |             |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                   |                                    |                          |             |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                   |                                    |                          |             |            | (deflate.c)...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1                             |                          | > 10 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    |                          |             |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1                             |                          | > 10 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    |                          |             |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                          |             |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1                             |                          | > 10 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    |                          |             |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                          |             |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                          |             |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1                             |                          | > 10 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    |                          |             |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                          |             |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24786   | medium   | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0          | > 7 months  | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | > 7 months ago           |             |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                          |             |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                          |             |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24786   | medium   | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0          | > 7 months  | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | > 7 months ago           |             |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                          |             |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                          |             |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-45288   | medium   | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0          | > 6 months  | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                   |                                    | > 6 months ago           |             |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                   |                                    |                          |             |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                   |                                    |                          |             |            | Maintaining H...                                   |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.13: total - 11, critical - 1, high - 1, medium - 9, low - 0
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.13: total - 2, critical - 0, high - 2, medium - 0, low - 0

Expected behavior
No more CVEs found.

Screenshots

Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.