Upcoming CosmWasm security patch: Codename Cherry

Tomorrow, on Tuesday, April 18th at 17:00 Berlin time (15h UTC/ 8am Pacific Time) Confio will release a fix for a medium severity security issue in CosmWasm. The patch for this issue will be distributed and communicated via the regular CosmWasm release process.

This issue impacts the availability of a chain running CosmWasm, and could allow for a malicious contract to trigger a crash that can halt the chain. Though chains that use CosmWasm with permissioned uploads or instantiation are not directly at risk, we advise chains that support permissionless contract instantiation to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue.

The patch is not a consensus breaking security fix and can be applied in-place, and instructions will be provided to all maintainers tomorrow as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of replacing one Go dependency and rebuilding the application.

The incident is tracked as CWA-2023-002, codename Cherry :cherries:.


Thank you very much both for the patch, and for the disclosure of the patch.

1 Like

See advisories/CWA-2023-002.md at main · CosmWasm/advisories · GitHub for how to upgrade.

wasmvm 1.2.3 is ready: Release v1.2.3 · CosmWasm/wasmvm · GitHub
wasmvm 1.1.2 is ready: Release v1.1.2 · CosmWasm/wasmvm · GitHub
wasmvm 1.0.1 is ready: Release v1.0.1 · CosmWasm/wasmvm · GitHub

The other ones are built right now.


If someone if hitting segmentation faults after applying the patch, please note this: Add section "Wasm module cache issue" · CosmWasm/advisories@9832abb · GitHub


A description of the vulnerability was added to CWA-2023-002. Also check out the detailed issue description published by the reporters from Jump Crypto: Stop the Chain! CosmWasm Stack Overflow.

As far as I can see all affected systems got the chance to fix their systems in time.


1 Like

imo both Jump and Confio did highly praiseworthy work here.

1 Like