Dear community,
on Wednesday, January 10th between 10:00 and 12:00 Berlin time Confio will release a fix for a high severity security issue in the CosmWasm virtual machine tracked as CWA-2023-004. The patch for this issue will be distributed and communicated via the regular CosmWasm release process.
This issue impacts the availability of a chain running CosmWasm. Chains that use CosmWasm with permissioned uploads or instantiations are not directly at risk. We advise chains that support permissionless contract instantiation uploads to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue.
The patch is a non consensus breaking security fix and can be applied in-place. Instructions will be provided as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of updating the wasmvm Go dependency and rebuilding the application.
Patches will be provided for wasmvm 1.2, 1.3, 1.4 and 1.5. Please note that 1.2 reached end of life and this is the last patch for this version.
Update 2024-01-09
I had to make a small correction to the announcement: Chains that allow permissionless uploads and permissioned instantiations are partially affected as well and should upgrade. A chain is only safe if no malicious Wasm can be stored.