Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAS-11340: minor upgrade on spring boot #1356

Merged
merged 2 commits into from
Jul 24, 2023
Merged

VAS-11340: minor upgrade on spring boot #1356

merged 2 commits into from
Jul 24, 2023

Conversation

bbenaissa
Copy link
Collaborator

@bbenaissa bbenaissa commented May 31, 2023
edited
Loading

Description

L'objectif de cette PR est de corriger des pbs de securité détéctées sur des versions de librairies:

GUAVA:

Security fixes

Reimplemented Files.createTempDir and FileBackedOutputStream to further address https://github.com/advisories/GHSA-5mg8-w23w-74h3 ([#4011](https://redirect.github.com/google/guava/issues/4011)) and https://github.com/advisories/GHSA-7g45-4rm6-3mm3 ([#2575](https://redirect.github.com/google/guava/issues/2575)). (feb83a1c8f)

While GHSA-5mg8-w23w-74h3 was officially closed when we deprecated Files.createTempDir in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, the only problem users are likely to encounter is with Windows. If you are using those APIs under Windows, you should skip 32.0.0 and go straight to 32.0.1 which fixes the problem. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io in particular may not work under Windows, we didn't intend to regress support.) Sorry for the trouble.

Spring boot:

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Specifically, an application is vulnerable if all of the conditions are true:

The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
The application makes use of Spring Boot's welcome page support, either static or templated.
Your application is deployed behind a proxy which caches 404 responses.

Your application is NOT vulnerable if any of the following are true:

Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
The application does not use Spring Boot's welcome page support.
You do not have a proxy which caches 404 responses.

Affected Spring Products and Versions

Spring Boot

3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14

Older, unsupported versions are also affected
Mitigation

Users of affected versions should apply the following mitigations:

3.0.x users should upgrade to 3.0.7+
2.7.x users should upgrade to 2.7.12+
2.6.x users should upgrade to 2.6.15+
2.5.x users should upgrade to 2.5.15+

Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.

Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.

Contributeur

VAS (Vitam Accessible en Service)

@TDevillechabrolle
Copy link
Contributor

TDevillechabrolle commented May 31, 2023
edited
Loading

Logo
Checkmarx One – Scan Summary & Details9ec1186d-a5d2-4fa5-b906-a37f88ddbb73

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CVE-2016-10735 Npm-bootstrap-3.3.6 Vulnerable Package
MEDIUM CVE-2018-14040 Npm-bootstrap-3.3.6 Vulnerable Package
MEDIUM CVE-2018-14042 Npm-bootstrap-3.3.6 Vulnerable Package
MEDIUM CVE-2018-20676 Npm-bootstrap-3.3.6 Vulnerable Package
MEDIUM CVE-2018-20677 Npm-bootstrap-3.3.6 Vulnerable Package
MEDIUM CVE-2019-8331 Npm-bootstrap-3.3.6 Vulnerable Package
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 226 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 275 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 309 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 237 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 320 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 226 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 275 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 309 Attack Vector

Fixed Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2022-42252 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
HIGH CVE-2022-45143 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
HIGH CVE-2023-20873 Maven-org.springframework.boot:spring-boot-actuator-autoconfigure-2.5.14 Vulnerable Package
HIGH CVE-2023-20883 Maven-org.springframework.boot:spring-boot-autoconfigure-2.5.14 Vulnerable Package
HIGH CVE-2023-28708 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
HIGH Reflected_XSS_All_Clients /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
HIGH Reflected_XSS_All_Clients /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM CVE-2022-31684 Maven-io.projectreactor.netty:reactor-netty-http-1.0.19 Vulnerable Package
MEDIUM CVE-2022-31684 Maven-io.projectreactor.netty:reactor-netty-core-1.0.19 Vulnerable Package
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
LOW CVE-2020-8908 Maven-com.google.guava:guava-29.0-jre Vulnerable Package
LOW Log_Forging /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 114 Attack Vector
LOW Log_Forging /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
LOW Log_Forging /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 127 Attack Vector
LOW Log_Forging /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
LOW Log_Forging /api/api-collect/collect-internal/src/main/java/fr/gouv/vitamui/collect/internal/server/rest/TransactionArchiveUnitInternalController.java: 162 Attack Vector

@bbenaissa bbenaissa self-assigned this May 31, 2023
@bbenaissa bbenaissa marked this pull request as ready for review June 1, 2023 08:47
@bbenaissa bbenaissa added small pr embarquant peu de changements et à review rapide, ne nécessitant qu'un reviewer VAS VAS contribution Security Modules update labels Jun 15, 2023
@bbenaissa bbenaissa added this to the IT 120 milestone Jun 15, 2023
@GiooDev GiooDev modified the milestones: IT 120, IT 121 Jun 20, 2023
@bbenaissa bbenaissa force-pushed the feature/vas-11340-vitamui-clean-codes branch from cb31041 to e9e6ead Compare June 21, 2023 08:35
@GiooDev GiooDev merged commit 74de994 into develop Jul 24, 2023
@GiooDev GiooDev deleted the feature/vas-11340-vitamui-clean-codes branch July 24, 2023 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Regzox Regzox Regzox approved these changes

@laedanrex laedanrex laedanrex approved these changes

Assignees

@bbenaissa bbenaissa

Labels
Security Modules update small pr embarquant peu de changements et à review rapide, ne nécessitant qu'un reviewer VAS VAS contribution
Projects
None yet
Milestone
IT 121
Development

Successfully merging this pull request may close these issues.
5 participants
@bbenaissa @TDevillechabrolle @laedanrex @Regzox @GiooDev