Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PPP-4776] Finalize Quartz Migrations Scripts #5725

Merged
merged 1 commit into from
Sep 24, 2024
Merged

[PPP-4776] Finalize Quartz Migrations Scripts #5725

merged 1 commit into from
Sep 24, 2024

Conversation

tkafalas
Copy link
Contributor

No description provided.

@tkafalas tkafalas requested a review from a team as a code owner September 23, 2024 13:42
@buildguy

This comment has been minimized.

Sign in to view
@hitachivantarasonarqube HitachiVantaraSonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@buildguy
Copy link
Collaborator

🚨 Frogbot scanned this pull request and found the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Critical		 Undetermined pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT
org.drools:drools-core:6.4.0.Final		 org.drools:drools-core 6.4.0.Final [7.60.0.Final] CVE-2021-41411

High		 Undetermined org.codehaus.jettison:jettison:1.3.3 org.codehaus.jettison:jettison 1.3.3 [1.5.2] CVE-2022-45685

High		 Undetermined org.codehaus.jettison:jettison:1.2 org.codehaus.jettison:jettison 1.2 [1.5.4] CVE-2023-1436

High		 Undetermined org.codehaus.jettison:jettison:1.1 org.codehaus.jettison:jettison 1.1 [1.5.2] CVE-2022-45693

High		 Undetermined org.codehaus.jettison:jettison:1.2 org.codehaus.jettison:jettison 1.2 [1.5.2] CVE-2022-40150

High		 Undetermined org.codehaus.jettison:jettison:1.2 org.codehaus.jettison:jettison 1.2 [1.5.4] CVE-2023-1436

High		 Undetermined org.codehaus.jettison:jettison:1.1 org.codehaus.jettison:jettison 1.1 [1.5.1] CVE-2022-40149

High		 Undetermined org.codehaus.jettison:jettison:1.3.3 org.codehaus.jettison:jettison 1.3.3 [1.5.4] CVE-2023-1436

High		 Undetermined org.drools:drools-core:6.4.0.Final
pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT		 org.drools:drools-core 6.4.0.Final [7.69.0.Final] CVE-2022-1415

High		 Undetermined org.codehaus.jettison:jettison:1.3.3 org.codehaus.jettison:jettison 1.3.3 [1.5.1] CVE-2022-40149

High		 Undetermined org.codehaus.jettison:jettison:1.3.3 org.codehaus.jettison:jettison 1.3.3 [1.5.2] CVE-2022-40150

High		 Undetermined org.codehaus.jettison:jettison:1.3.3 org.codehaus.jettison:jettison 1.3.3 [1.5.2] CVE-2022-45693

High		 Undetermined org.codehaus.jettison:jettison:1.2 org.codehaus.jettison:jettison 1.2 [1.5.1] CVE-2022-40149

High		 Undetermined org.codehaus.jettison:jettison:1.1 org.codehaus.jettison:jettison 1.1 [1.5.2] CVE-2022-40150

High		 Undetermined org.codehaus.jettison:jettison:1.1 org.codehaus.jettison:jettison 1.1 [1.5.4] CVE-2023-1436

High		 Undetermined org.codehaus.jettison:jettison:1.1 org.codehaus.jettison:jettison 1.1 [1.5.4] CVE-2023-1436

High		 Undetermined org.codehaus.jettison:jettison:1.2 org.codehaus.jettison:jettison 1.2 [1.5.2] CVE-2022-45685

High		 Undetermined org.codehaus.jettison:jettison:1.3.3 org.codehaus.jettison:jettison 1.3.3 [1.5.4] CVE-2023-1436

High		 Undetermined org.codehaus.jettison:jettison:1.1 org.codehaus.jettison:jettison 1.1 [1.5.2] CVE-2022-45685

High		 Undetermined org.codehaus.jettison:jettison:1.2 org.codehaus.jettison:jettison 1.2 [1.5.2] CVE-2022-45693

Medium		 Not Applicable com.fasterxml.jackson.core:jackson-databind:2.14.2
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.14.2		 com.fasterxml.jackson.core:jackson-databind 2.14.2 - CVE-2023-35116
🔬 Research Details
[ CVE-2021-41411 ] org.drools:drools-core 6.4.0.Final

Description:
Drools is a Business Rules Management System (BRMS) solution. It provides a core Business Rules Engine (BRE), a web authoring and rules management application (Drools Workbench), full runtime support for Decision Model and Notation (DMN) models at Conformance level 3 and an Eclipse IDE plugin for core development.

A KIE project or module is simply a Maven Java project or module; with an additional metadata file META-INF/kmodule.xml. The kmodule.xml file is the descriptor that selects resources to KIE bases and configures those KIE bases and sessions.

The KieModuleMarshaller class is responsible for loading the KIE Module. The module validates the kiemodule.xml file before loading it. However - the validation does not filter out XML external entity (XXE) tags. This can lead to code execution in the Drools server.

This can be exploited by an attacker that is able to add or alter a KIE project/module.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.3.3

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}
Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}
[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.1

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}
[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.1

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.3.3

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-1415 ] org.drools:drools-core 6.4.0.Final

Description:
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.3.3

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.3.3

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.3.3

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}
[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.1

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.1

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.1

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}
Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}
[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.3.3

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.1

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}
Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}
[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}
[ CVE-2023-35116 ] com.fasterxml.jackson.core:jackson-databind 2.14.2

Description:
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

@buildguy
Copy link
Collaborator

❌ Build failed in 35m 49s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
assemblies/pentaho-data

❗ No tests found!

ℹ️ This is an automatic message

@ddiroma ddiroma merged commit 1a4d69e into pentaho:master Sep 24, 2024
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tkafalas @buildguy @ddiroma