Tendermint Core Security Advisory Mulberry

Recently, the Tendermint Core team became aware of a high-severity security vulnerability that impacts Tendermint Core v0.34.0 and later. A patch for the issue, which requires no breaking changes, will be released in version v0.34.3 of Tendermint Core, in version v0.40.1 of the Cosmos SDK, and in version 3.0.1 of Gaia at 16:00 UTC on Tuesday, January 19, 2021.

This vulnerability does not impact the current Cosmos Hub, although it is present in Gaia’s scheduled commit for the Stargate Hub Upgrade. Cosmos core developers encourage all Hub operators to choose Gaia v3.0.1 or later when upgrading for Stargate.

This notice has been posted in accordance with our vulnerability disclosure policy. For future security alerts for Tendermint Core, you can also subscribe to our dedicated security mailing list.

The patch that resolves the issues comprising Security Advisory Mulberry has been released in v0.34.3 of Tendermint Core. Source code and binaries are available on our release page: Release 0.34.3 (WARNING: BETA SOFTWARE) · tendermint/tendermint · GitHub

Patches for the Cosmos SDK and Gaia, v0.40.1 and v3.0.1, respectively, will be released shortly; the release process was delayed by the GitHub Actions outage earlier today.

Thank you for your patience!

The patches that resolve the issues comprising Security Advisory Mulberry have been released in v0.34.3 of Tendermint Core, in v0.40.1 of the Cosmos SDK, and in version 3.0.1 of Gaia. All releases are now available to the public. The Cosmos SDK and Gaia releases were delayed by 24 hours, but future security updates will be released on a tightened timeline.

A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Tuesday, January 26.

You can find source code and binaries available on the respective release pages:

• Tendermint Core: Release 0.34.3 (WARNING: BETA SOFTWARE) · tendermint/tendermint · GitHub
• Cosmos SDK: Release v0.40.1 · cosmos/cosmos-sdk · GitHub
• Gaia: Release v3.0.1 · cosmos/gaia · GitHub

Again, this vulnerability does not impact the current Cosmos Hub, although it is present in Gaia’s scheduled commit for the Stargate Hub Upgrade.

Cosmos core developers encourage all Hub operators to choose Gaia v3.0.1 or later when upgrading for Stargate.

Update: As of January 25, Cosmos core developers are advocating for rescheduling the Stargate Upgrade. (See https://www.mintscan.io/cosmos/proposals/36 for more details.)

When the new Stargate Hub Upgrade proposal goes live, it will include a commit hash that points to a fully-patched version of Gaia. Therefore, Cosmos Hub operators do not need to worry about Security Advisory Mulberry.