Deis Workflow Manager race condition
Description
UNSUPPORTED WHEN ASSIGNED A vulnerability was found in Deis Workflow Manager up to 2.3.2. It has been classified as problematic. This affects an unknown part. The manipulation leads to race condition. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 2.3.3 is able to address this issue. The patch is named 31fe3bccbdde134a185752e53380330d16053f7f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248847. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/deis/workflow-managerGo | < 2.3.3 | 2.3.3 |
Affected products
1- Range: 2.3.0
Patches
131fe3bccbddecluster_id is vulnerable to race condition when called concurrently (#94)
3 files changed · +9 −2
boot.go+1 −0 modified@@ -47,6 +47,7 @@ func main() { svPeriodic := jobs.NewSendVersionsPeriodic( apiClient, + clusterID, deisK8sResources, availableVersion, pollDur,
data/cluster_id.go+2 −0 modified@@ -51,6 +51,8 @@ func NewClusterIDFromPersistentStorage(sgc k8s.KubeSecretGetterCreator) ClusterI // Get is the ClusterID interface implementation func (c clusterIDFromPersistentStorage) Get() (string, error) { + c.rwm.Lock() + defer c.rwm.Unlock() secret, err := c.secretGetterCreator.Get(wfmSecretName) //If we don't have the secret we shouldn't be returning error and instead a create a new one if err != nil && !apierrors.IsNotFound(err) {
jobs/jobs.go+6 −2 modified@@ -22,6 +22,7 @@ type Periodic interface { // SendVersions fulfills the Periodic interface type sendVersions struct { k8sResources *k8s.ResourceInterfaceNamespaced + clusterID data.ClusterID apiClient *apiclient.WorkflowManager availableVersions data.AvailableVersions frequency time.Duration @@ -30,12 +31,14 @@ type sendVersions struct { // NewSendVersionsPeriodic creates a new SendVersions using sgc and rcl as the the secret getter / creator and replication controller lister implementations (respectively) func NewSendVersionsPeriodic( apiClient *apiclient.WorkflowManager, + clusterID data.ClusterID, ri *k8s.ResourceInterfaceNamespaced, availableVersions data.AvailableVersions, frequency time.Duration, ) Periodic { return &sendVersions{ k8sResources: ri, + clusterID: clusterID, apiClient: apiClient, availableVersions: availableVersions, frequency: frequency, @@ -45,7 +48,7 @@ func NewSendVersionsPeriodic( // Do is the Periodic interface implementation func (s sendVersions) Do() error { if config.Spec.CheckVersions { - err := sendVersionsImpl(s.apiClient, s.k8sResources, s.availableVersions) + err := sendVersionsImpl(s.apiClient, s.clusterID, s.k8sResources, s.availableVersions) if err != nil { return err } @@ -135,12 +138,13 @@ func DoPeriodic(pSlice []Periodic) chan<- struct{} { // sendVersions sends cluster version data func sendVersionsImpl( apiClient *apiclient.WorkflowManager, + clusterID data.ClusterID, k8sResources *k8s.ResourceInterfaceNamespaced, availableVersions data.AvailableVersions, ) error { cluster, err := data.GetCluster( data.NewInstalledDeisData(k8sResources), - data.NewClusterIDFromPersistentStorage(k8sResources.Secrets()), + clusterID, data.NewLatestReleasedComponent(k8sResources, availableVersions), ) if err != nil {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/deis/workflow-manager/commit/31fe3bccbdde134a185752e53380330d16053f7fghsapatchWEB
- github.com/deis/workflow-manager/releases/tag/v2.3.3ghsapatchWEB
- github.com/advisories/GHSA-jpfp-xq3p-4h3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-15036ghsaADVISORY
- github.com/deis/workflow-manager/pull/94ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entryWEB
News mentions
0No linked articles in our index yet.