Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-41853, CVE-2016-1000027, GHSA-jgvc-jfgh-rjvv #1463

Closed
sean-redmond opened this issue Jun 6, 2023 · 4 comments · Fixed by #1464
Closed

CVE-2022-41853, CVE-2016-1000027, GHSA-jgvc-jfgh-rjvv #1463

sean-redmond opened this issue Jun 6, 2023 · 4 comments · Fixed by #1464
Labels
medium priority Issues that are important, not highest, but also not lowest. security 🚨 Security-related issues

Comments

@sean-redmond
Copy link
Contributor

Here's what I did

 trivy image openrouteservice/openrouteservice:nightly

Here's what I got

openrouteservice/openrouteservice:nightly (alpine 3.17.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2023-06-06T14:39:56.335+0300	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 2)

┌──────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│                 Library                  │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├──────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ org.bitbucket.b_c:jose4j (ors.war)       │ GHSA-jgvc-jfgh-rjvv │ MEDIUM   │ 0.7.9             │ 0.9.3         │ Chosen Ciphertext Attack in Jose4j                      │
│                                          │                     │          │                   │               │ https://github.com/advisories/GHSA-jgvc-jfgh-rjvv       │
├──────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ org.hsqldb:hsqldb (ors.war)              │ CVE-2022-41853      │ CRITICAL │ 2.5.2             │ 2.7.1         │ Untrusted input may lead to RCE attack                  │
│                                          │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41853              │
├──────────────────────────────────────────┼─────────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ org.springframework:spring-web (ors.war) │ CVE-2016-1000027    │          │ 5.3.27            │ 6.0.0         │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│                                          │                     │          │                   │               │ method untrusted java deserialization                   │
│                                          │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2016-1000027            │
└──────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

Here's what I was expecting

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Here's what I think could be improved

Bump package versions to resolve, the spring framework one could be more difficult as it looks to be a major version
@sean-redmond
Copy link
Contributor Author

sean-redmond commented Jun 6, 2023
edited
Loading

It seems jose4j version can be resolved by bumping to <kafka.version>3.4.1</kafka.version> from current <kafka.version>3.4.0</kafka.version>

This is just based on analysis of the pom.xml in the master branch using mvn dependency:tree | less t find what is pulling in jose4j then using mvn versions:display-dependency-updates -DgroupId=org.apache.kafka -DartifactId=kafka to check the version bump options.

3.4.1 deps:

image

3.4.0 deps:

image

@MichaelsJP
Copy link
Member

MichaelsJP commented Jun 7, 2023
edited
Loading

@sean-redmond Thanks for reporting. I'll quickly look into it.

Will be fixed in #1464

@MichaelsJP MichaelsJP linked a pull request Jun 7, 2023 that will close this issue
fix(cve): Upgrade kafka_2.13 from 3.4.0 to 3.4.1 #1464
Merged
13 tasks
@MichaelsJP MichaelsJP mentioned this issue Jun 7, 2023
Merged
13 tasks
@MichaelsJP MichaelsJP added security 🚨 Security-related issues medium priority Issues that are important, not highest, but also not lowest. labels Jun 7, 2023
@sean-redmond
Copy link
Contributor Author

I think the PR only resolves GHSA-jgvc-jfgh-rjvv looks like CVE-2022-41853 & CVE-2016-1000027 remain - sorry I don't think my comment was clear that updating kafka only resolved one of them

@MichaelsJP
Copy link
Member

@sean-redmond

Maybe it's possible to exclude the affected packages, but I don't know if it's worth it. Do you have any hard limits?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
medium priority Issues that are important, not highest, but also not lowest. security 🚨 Security-related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cve): Upgrade kafka_2.13 from 3.4.0 to 3.4.1 GIScience/openrouteservice
2 participants
@MichaelsJP @sean-redmond