Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring-beans: uses version with CVEs only via invoker #1417

Merged
merged 1 commit into from
Feb 27, 2024
Merged

spring-beans: uses version with CVEs only via invoker #1417

merged 1 commit into from
Feb 27, 2024

Conversation

codefromthecrypt
Copy link
Member

@codefromthecrypt codefromthecrypt commented Feb 27, 2024
edited
Loading

Similar to #1413, this hides the intentionally not updated version in an invoker test.

Fixes #1411

@codefromthecrypt
Copy link
Member Author

after this, the only non-it modules that show up in trivy are the benchmarks, which are mostly around resteasy usage there. @reta you mind seeing if we can upgrade resteasy or accomplish similar without it?

instrumentation/benchmarks/pom.xml (pom)

Total: 13 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 2, CRITICAL: 1)

┌──────────────────────────────────────┬──────────────────┬──────────┬──────────┬───────────────────┬───────────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library                │  Vulnerability   │ Severity │  Status  │ Installed Version │       Fixed Version       │                            Title                             │
├──────────────────────────────────────┼──────────────────┼──────────┼──────────┼───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client             │ CVE-2023-46120   │ MEDIUM   │ fixed    │ 5.9.0             │ 5.18.0                    │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│                                      │                  │          │          │                   │                           │ to Remote DoS...                                             │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2023-46120                   │
├──────────────────────────────────────┼──────────────────┤          │          ├───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.netty:netty-handler               │ CVE-2023-34462   │          │          │ 4.1.93.Final      │ 4.1.94.Final              │ netty: SniHandler 16MB allocation leads to OOM               │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2023-34462                   │
├──────────────────────────────────────┼──────────────────┼──────────┤          ├───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.resteasy:resteasy-client   │ CVE-2020-1695    │ HIGH     │          │ 3.0.19.Final      │ 4.6.0, 3.12.0             │ resteasy: Improper validation of response header in          │
│                                      │                  │          │          │                   │                           │ MediaTypeHeaderDelegate.java class                           │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2020-1695                    │
│                                      ├──────────────────┼──────────┤          │                   ├───────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2016-6345    │ MEDIUM   │          │                   │ 3.0.20.Final, 3.1.0.CR1   │ RESTEasy: Insufficient use of random values in RESTEasy      │
│                                      │                  │          │          │                   │                           │ async jobs could lead...                                     │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2016-6345                    │
│                                      ├──────────────────┤          │          │                   │                           ├──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2016-6347    │          │          │                   │                           │ RESTEasy: Use of the default exception handler in RESTEasy   │
│                                      │                  │          │          │                   │                           │ can lead to...                                               │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2016-6347                    │
│                                      ├──────────────────┤          │          │                   ├───────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2016-6348    │          │          │                   │ 3.0.20.Final              │ RESTEasy: Use of JacksonJsonpInterceptor in RESTEasy can     │
│                                      │                  │          │          │                   │                           │ lead to Cross Site Script...                                 │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2016-6348                    │
│                                      ├──────────────────┤          │          │                   ├───────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2020-25633   │          │          │                   │ 4.5.7.Final, 3.14.0.Final │ potential sensitive information leakage in JAX-RS RESTEasy   │
│                                      │                  │          │          │                   │                           │ Client's WebApplicationException handling                    │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2020-25633                   │
├──────────────────────────────────────┼──────────────────┤          ├──────────┼───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.resteasy:resteasy-undertow │ CVE-2023-0482    │          │ affected │ 3.15.6.Final      │                           │ RESTEasy: creation of insecure temp files                    │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2023-0482                    │
├──────────────────────────────────────┼──────────────────┤          ├──────────┼───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.amqp:spring-amqp │ CVE-2021-22095   │          │ fixed    │ 2.3.6             │ 2.2.19, 2.3.11            │ Deserialization of Untrusted Data in Spring AMQP             │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2021-22095                   │
│                                      ├──────────────────┤          │          │                   │                           ├──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2021-22097   │          │          │                   │                           │ Deserialization of Untrusted Data in Spring AMQP             │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2021-22097                   │
├──────────────────────────────────────┼──────────────────┤          │          ├───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-messaging │ CVE-2022-22971   │          │          │ 5.3.5             │ 5.3.20, 5.2.22.RELEASE    │ DoS with STOMP over WebSocket                                │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2022-22971                   │
├──────────────────────────────────────┼──────────────────┼──────────┤          ├───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web       │ CVE-2016-1000027 │ CRITICAL │          │ 5.3.31            │ 6.0.0                     │ spring: HttpInvokerServiceExporter readRemoteInvocation      │
│                                      │                  │          │          │                   │                           │ method untrusted java deserialization                        │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2016-1000027                 │
│                                      ├──────────────────┼──────────┤          │                   ├───────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2024-22243   │ HIGH     │          │                   │ 6.1.4, 6.0.17, 5.3.32     │ springframework: URL Parsing with Host Validation            │
│                                      │                  │          │          │                   │                           │ https://avd.aquasec.com/nvd/cve-2024-22243                   │
└──────────────────────────────────────┴──────────────────┴──────────┴──────────┴───────────────────┴───────────────────────────┴──────────────────────────────────────────────────────────────┘

@codefromthecrypt
Copy link
Member Author

added a new issue to track what to do about spring 6, which set floor JRE to 17 #1418

spring-beans: uses version with CVEs only via invoker
adb309a 
Similar to #1413, this hides the intentionally not updated version in an
invoker test.

Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
codefromthecrypt commented Feb 27, 2024
View reviewed changes
Copy link
Member Author

@codefromthecrypt codefromthecrypt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed the other spring invoker tests as they didn't use the correct versions

instrumentation/spring-web/src/it/spring3/pom.xml
@@ -36,7 +36,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>@spring.version@</version>
<version>@spring3.version@</version>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed this

instrumentation/spring-webmvc/src/it/servlet25/pom.xml
@@ -40,7 +40,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>@spring.version@</version>
<version>@spring3.version@</version>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and this

@codefromthecrypt codefromthecrypt merged commit 91fcd8e into master Feb 27, 2024
3 checks passed
@codefromthecrypt codefromthecrypt deleted the spring-it branch February 27, 2024 04:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anuraaga anuraaga Awaiting requested review from anuraaga

@reta reta Awaiting requested review from reta

@shakuzen shakuzen Awaiting requested review from shakuzen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

change dependency priority on spring-beans
1 participant
@codefromthecrypt