Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix CVE-2024-57699 for predefined parsers #233

Merged
merged 1 commit into from
Feb 8, 2025
Merged

fix CVE-2024-57699 for predefined parsers #233

merged 1 commit into from
Feb 8, 2025
+64 −4

Conversation

ccudennec-otto
Copy link
Contributor

@ccudennec-otto ccudennec-otto commented Feb 7, 2025
edited
Loading

fixes #232

Hi @UrielCh!

This is my first PR in your project. I hope it helps to fix the new CVE. I hope that I took the right approach.

Cheers,

Christopher

@norrisjeremy
Copy link

Is there a reason for all the whitespace changes?
It makes this PR harder to review.

@ccudennec-otto ccudennec-otto force-pushed the fix-CVE-2024-57699 branch 2 times, most recently from 2510b41 to e8b2320 Compare February 7, 2025 18:45
@ccudennec-otto
Copy link
Contributor Author

Is there a reason for all the whitespace changes?
It makes this PR harder to review.

@norrisjeremy
Agreed! I've reverted the whitespace changes - those got added by my IDE and I missed to double-check the diffs.

norrisjeremy
norrisjeremy reviewed Feb 7, 2025
View reviewed changes
hezhangjian
hezhangjian approved these changes Feb 8, 2025
View reviewed changes
Copy link
Collaborator

@hezhangjian hezhangjian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's reason to default security, WDYT @UrielCh

@UrielCh
Copy link
Contributor

UrielCh commented Feb 8, 2025

the changelog is up to date, nice.

@UrielCh
Copy link
Contributor

UrielCh commented Feb 8, 2025

so the change is that LIMIT_JSON_DEPTH was not enabled by default ?

@UrielCh UrielCh merged commit 852caf6 into netplex:master Feb 8, 2025
5 checks passed
@cricstats
Copy link

cricstats commented Feb 9, 2025
edited
Loading

When will the new 2.5.2 release be available in the maven repo ?

@ccudennec-otto
Copy link
Contributor Author

Hi @UrielCh and thanks for merging! 🌻

so the change is that LIMIT_JSON_DEPTH was not enabled by default ?

Yes, exactly. Now we're defaulting to security to quote @hezhangjian 🙂

Everyone who creates their own parser instead of using the default MODE constants still needs to enable the option, though.

When will the new 2.5.2 release be available in the maven repo ?

A new release would be highly appreciated by the Spring Security world. 😄

@ccudennec-otto
Copy link
Contributor Author

I think this comments is also helpful (taken from https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/494/json-smart-and-cve-2024-57699-configure)

All JSON parsing in the OIDC SDK is done in JSONUtils. The CVE fix can be applied here, independently of the upstream fix.

That means:

  • com.nimbusds:oauth2-oidc-sdk is able to fix this issue on their side without waiting for a new release of json-smart; they've released version 11.22.1 that fixes the issue.
  • if you manage the JSONParser in your project, you can / must take care of enabling the option yourself

@UrielCh
Copy link
Contributor

UrielCh commented Feb 9, 2025
edited
Loading

I’ve submitted a request to migrate my access to the new central.sonatype.com and am awaiting validation from support.

@cricstats
Copy link

I’ve submitted a request to migrate my access to the new central.sonatype.com and am awaiting validation from support.

Thank you we are eagerly awaiting the release for this .

@ccudennec-otto ccudennec-otto deleted the fix-CVE-2024-57699 branch February 10, 2025 07:41
@ccudennec-otto ccudennec-otto mentioned this pull request Feb 10, 2025
Closed
@airvine-r7
Copy link

Likewise, awaiting this release ASAP.

@yeikel
Copy link

yeikel commented Feb 10, 2025

Submitted github/advisory-database#5257 to document the fix in GH Advisory database

@yeikel yeikel mentioned this pull request Feb 10, 2025
Closed
@airvine-r7
Copy link

Any update on this? @UrielCh

@UrielCh
Copy link
Contributor

UrielCh commented Feb 11, 2025

Last update 22h ago, sould get next update in 2hours

@cbertoldi
Copy link

I have a question: it seems that the version 2.5.2 is now available, but the older versions disappeared from the metadata XML file:
the file https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml contains the following:
net.minidev json-smart 2.5.2 2.5.2 2.5.2 20250212044256

no older versions are present, but if you check a mirror that probably has not been updated yet https://maven-central-eu.storage-download.googleapis.com/maven2/net/minidev/json-smart/maven-metadata.xml
it contains many older versions except the latest one: net.minidev json-smart 2.5.1 2.5.1 1.0.6.3 1.0.8 1.0.9 1.0.9-1 1.1 1.1.1 1.2 1.3 1.3.1 1.3.2 1.3.3 2.0-RC1 2.0-RC2 2.0-RC3 2.0 2.1.0 2.1.1 2.2 2.2.1 2.3 2.3.1 2.4.1 2.4.2 2.4.4 2.4.5 2.4.6 2.4.7 2.4.8 2.4.9 2.4.10 2.4.11 2.5.0 2.5.1 20240321051508

Has the 2.5.2 version been released in a different way than usual?

This change broke the mvn dependency:go-offline behaviour:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.8.1:go-offline (default-cli) on project slorder-mod-security: org.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.4.2 -> org.springframework.security:spring-security-oauth2-client:jar:6.4.2 -> com.nimbusds:oauth2-oidc-sdk:jar:9.43.4 -> net.minidev:json-smart:jar:[1.3.3,2.4.10]: No versions available for net.minidev:json-smart:jar:[1.3.3,2.4.10] within specified range

@marcelstoer
Copy link

See #240

@github-actions github-actions bot mentioned this pull request Feb 13, 2025
Open
@martinwunderlich-celonis
Copy link

Does this fix also resolve the CVE GHSA-pq2g-wx69-c263 ? If not, any plans to include that in a future update?

@ArloL
Copy link

ArloL commented Feb 13, 2025

If you look on the right hand side of GHSA-pq2g-wx69-c263 you'll see the CVE ID CVE-2024-57699 . So yes it's the same finding :)

@marcelstoer
Copy link

GHSA-pq2g-wx69-c263 references this issue. It also says

Patched versions 2.5.2

@dadoonet
Copy link

dadoonet commented Feb 13, 2025
edited
Loading

Weird. It seems that on my end 2.5.2 is still marked as containing CVE-2024-57699:

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project fscrawler-framework: Detected 1 vulnerable components:
Error:    net.minidev:json-smart:jar:2.5.2:runtime; https://ossindex.sonatype.org/component/pkg:maven/net.minidev/json-smart@2.5.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-57699] CWE-674: Uncontrolled Recursion (8.7); https://ossindex.sonatype.org/vulnerability/CVE-2024-57699?component-type=maven&component-name=net.minidev%2Fjson-smart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

May be it's a "bug" on sonatype side? https://ossindex.sonatype.org/vulnerability/CVE-2024-57699

UPDATE: I opened: sonatype/ossindex-maven#84

@JoergSiebahn JoergSiebahn mentioned this pull request Feb 13, 2025
Merged
@JoergSiebahn
Copy link

fyi, I added a PR for the PoC that is referenced in https://ossindex.sonatype.org/vulnerability/CVE-2024-57699 which uses 2.5.2 and does not fail with exit code 1.

@yeikel
Copy link

yeikel commented Feb 13, 2025

Weird. It seems that on my end 2.5.2 is still marked as containing CVE-2024-57699:

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project fscrawler-framework: Detected 1 vulnerable components:
Error:    net.minidev:json-smart:jar:2.5.2:runtime; https://ossindex.sonatype.org/component/pkg:maven/net.minidev/json-smart@2.5.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-57699] CWE-674: Uncontrolled Recursion (8.7); https://ossindex.sonatype.org/vulnerability/CVE-2024-57699?component-type=maven&component-name=net.minidev%2Fjson-smart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

May be it's a "bug" on sonatype side? https://ossindex.sonatype.org/vulnerability/CVE-2024-57699

UPDATE: I opened: sonatype/ossindex-maven#84

This is because sonatype uses its own CVE database. We need to report to them individually that there is a known version that is not vulnerable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snhrdt snhrdt snhrdt left review comments

@silviuburceadev silviuburceadev silviuburceadev left review comments

@norrisjeremy norrisjeremy norrisjeremy left review comments

@hezhangjian hezhangjian hezhangjian approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2024-57699 raised against 2.5.0...2.5.1