Update Werkzeug

[nickumia-reisys]

Please keep any sensitive details in Google Drive.

Date of report: 02/15/2023
Severity: High
Due date: 03/15/2023

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

Brief description

From our automated snyk scans, the above vulnerability in the werkzeug package was highlighted. After an investigation, it seems like there is no path forward to patch it. The upgrade of werkzeug cascades into a bunch of breaking versions with Flask and Jinja2 and other packages. There is an open issue about running CKAN with the latest version of Flask and the patch release of CKAN 2.9.8 still references Flask==1.1.1.

There is an open ticket in upstream CKAN that talk about the work related to this upgrade

• Update CKAN to Flask 2.2.2 (or latest) ckan/ckan#7083

There was an old patch that was completed in 11/2022, but Snyk says that the new vulnerability requires a newer release,

• Update werkzeug dependency for security patch (cve-2022-29361) ckan/ckan#7207

Other list of references:

• https://stackoverflow.com/a/73109165
• https://github.com/pallets/werkzeug/blob/2.2.3/src/werkzeug/wrappers/__init__.py
• https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-3319936
• https://github.com/ckan/ckan/blob/ckan-2.10.0/requirements.in
• https://github.com/ckan/ckan/blob/ckan-2.9.8/requirements.in

[nickumia-reisys]

There is a better chance that we'll be able to patch this vulnerability if we are on CKAN 2.10.0 (but there may still be issues).

[nickumia-reisys]

See efforts to upgrade in the following two PRs:

• [Snyk + GH Actions] Update requirements - Werkzeug inventory-app#546
• [Snyk + GH Actions] Update requirements - Werkzeug catalog.data.gov#786

[hkdctol]

Adding a March milestone to this so that we will look at it again, but given the discussion today at sync this seems like it has to await the CKAN 2.10 update which is #4209

[nickumia-reisys]

Blocked by CKAN releasing compatibility changes to core code. See PR for details:

• Werkzeug + Flask vulnerabilities fixed with CKAN 2.10 inventory-app#622

[nickumia-reisys]

See comment

• Flask + Werkzeug Fixes? catalog.data.gov#989 (comment)

[btylerburton]

Conversation with CKAN core team on release schedule. No new developments, but at least they are aware that we are awaiting these fixes.

ckan/ckan#6381

[rshewitt]

ckan upstream ticket

[gujral-rei]

followed up with CKAN

[FuhuXia]

CKAN 2.11.0 fix ths issue with Werkzeug[watchdog]==3.0.3 in the requirements.txt.