< Back

CubeFS completes third-party security audit


CubeFS completes third-party security audit

CubeFS is happy to announce the completion of its third-party security audit. The audit was conducted by Ada Logicsopen in new window in collaboration with the CubeFS maintainers, OSTIF and the CNCF.

Ada Logics is a well-established security auditing firm with vast experience in auditing projects in the cloud-native ecosystem, having audited several other CNCF projects in the past such as containerd, Helm, Kubernetes, Vitess, Notary v2 and others. CubeFS is happy to have partnered with Ada Logics to show a strong commitment to security for the CubeFS consumers.

Ada Logics carried out a holistic security audit of CubeFS with focus on threat modelling, manual code review and supply-chain security. The audit found 12 security issues ranging from Low to Moderate severity of which 5 were assigned CVEs.

1Authenticated users can crash the CubeFS servers with maliciously crafted requestsCVE-2023-46738Moderate
2Timing attack can leak user passwordsCVE-2023-46739Moderate
3Insecure random string generator used for sensitive dataCVE-2023-46740Moderate
4CubeFS leaks magic secret key when starting Blobstore access serviceCVE-2023-46741Moderate
5CubeFS leaks users key in logsCVE-2023-46742Moderate

Besides these five CVEs, other found issues included potential deadlocks, nil-dereference panics, slowloris issues, missing signatures with releases, issues with CubeFS’s security policy and insecure cryptographic primitives.

The CubeFS team has fixed all the found issues at the end of the audit. All issues have been resolved in CubeFS v3.3.1.

Furthermore, Ada Logics recommended CubeFS to add additional SAST tooling to its SAST suite which has also been added. During the audit, the auditors used SAST tools to find true positive security issues, and these SAST tools now run in CubeFS’s CI, such that future pull requests are tested for potential harmful security changes.

In the context of software supply-chain security, Ada Logics found that CubeFS maintains its software development lifecycle very well in certain areas, but is missing substantial elements to mitigate well-known supply-chain risks. Most prominently, CubeFS lacks provenance with its releases. Provenance is a critical element of SLSA which is a state-of-the-art framework to mitigate supply-chain risks. Adding verifiable provenance to releases allows consumers to mitigate several attack vectors from CubeFS’s software development lifecycle. CubeFS has created a public issueopen in new window to track the ongoing work to support verifiable provenance.

CubeFS maintains an open security disclosure policy. If you are interested in contributing to CubeFS’s security, you are welcome to submit your findings by following the security guidelinesopen in new window. In addition, CubeFS has an open meeting scheduleopen in new window where community members are welcome to join.

We would like to thank the team Ada Logics, Adam and David Korczynski and their team, for their hard work and contributions in making this successful audit possible. We would like to thank the team at CubeFS, specifically Leon Chang, Lei Zhang, Xiaochun He, and Baijiaruo for their clarity, expertise, and kindness over the course of this engagement. They were an extremely responsive team, and active participants in the audit in a way that benefits not just the engagement, but project users and contributors.Finally, this would not have been possible without the funding and support of the CNCF. Open source security work is made possible by their contributions and foundation.