New OSS-Fuzz Findings in xstream #304
Comments
|
Dear xstream maintainers, this is a friendly reminder, are you guys interested in onboarding to the OSS-Fuzz platform? If we can not get maintainers from your project we will do our best to disclose issues to the community, and also request CVEs for security related vulnerabilities. Thank you and hope to hear from you soon! |
|
OSS-Fuzz has found this stackoverflow issue which has already been fixed due to fix by sonarqube. I think there is a potential security risk depending on the context of the usage of this project. A stackoverflow could lead to a denial of service of a component. We think the community should be notified. Do you plan to assign CVEs for the problems? Detailed Information can be found here: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49858 Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration. |
|
"Dear XStream maintainers" addresses in fact me alone and my spare time is currently very limited. Especially the next two weeks I am completely offline... |
|
No problems! We will take over for most of the part then, in the future we will ask questions related to if the bugs found by OSS-Fuzz is really security related or not, that will help us to contribute to the community. And thank you for your reply! |
|
Hi,
?!? When I look at the report, it claims that a security issue has been fixed by a commit that introduced the diamond operator as syntactical sugar? Regards, |
|
Hello @joehni, We did not look into the commit details of this issue, we get our conclusion based on the fixed revision range of commits on Github. I think the issue is opened now so the above link should work, otherwise if you need stacktraces or crashing input please let me know, thanks! Best regards, |
|
Hi guys, Regards, |
|
@henryrneh I am sure you and the organization you represent mean well. However, to me this issue is yet another example of misguided automated tools. A considerable amount of my time at $work is spent fighting such nonsense these days. As soon as something is in the CVE database, tools like the OWASP Dependency Check pick it up, build pipelines around the world start failing and all hell breaks loose. There are currently 6 duplicate CVEs pointing here - all wrong.
Whoever create the CVEs should
|
|
Hello @marcelstoer @tomabai thanks for your feedback. Just for clarification, the vulnerabilities are triggered with xstream.fromXML(Malicious_Input). For the CVE-2022-40151, according to the stacktrace it seeems like a problem within xstream, I will include the full stacktrace here. From the CVE-2022-40152 to CVE-2022-40156, they are not duplicates, if you look into the stacktrace in details you can see that they are triggered differently, but the root cause may be the same. We will report the woodstox issues to woodstox. Since our ressources are also limited, we are not able investigate every issue in detail. If some well established project committer of xtream is interested in supporting the bug disclosure and issue handling, feel free to reach to us. Each finding can also be discussed before it is disclosed. Since xstream is using woodstox, xtream users may be affected if an older version of xtream is used that was released with a vulnerable version of woodstox, so we still consider them to be valid CVEs. |
That is not relevant. What if you find 100 projects out in the wild that invoke
Then don't report them to NIST. Bulk posting such issues to NIST will eventually degrade the reputation of their database and render it useless over time. As a security researcher you have a professional obligation IMO to make sure that your automated tools don't steal time from developers around the globe. |
|
For the first one CVE-2022-40151 the vulnerable library is still xstream. For the other five, you're right. We will request an update at the vulnerability database to point to woodstox. Since the first one is still not fixed, feel free to reach to us to get access to the Fuzzing infrastructure. |
|
Also PLEASE DO NOT tag Woodstox in CVEs until you actually verify this is something to do with Woodstox internals and not -- for example -- due to PARTICULAR CONFIGURATION used by another library (like XStream; not claiming it does anything but just as an example). I was contacted by a user who was freaking out on 5 new CVEs labelled with Woodstox; none of which I was familiar with. This is not ok. And just to make it clear, I am not blaming fellow OSS authors about doing anything wrong. |
|
Hey team, I was looking through the comments in the X-Stream issue attached to the CVE: A commenter (tomabai) mentioned it seems to be around this line of code: Is there any merit to the comment? Could this function be causing this issue? P.S. I am in cyber security and this stuff drives me crazy also. Its conuterproductive and punishes developers for implementing DevSecOps which has real implications when it comes to blocking pipelines. Automation is compounding the issue. |
|
Without any other context it is not possible to know what problem there might be; I don't see anything super obvious. That kind of comment ("hey it seems to come from this class") with no context or even content is counter-productive. |
|
Hi team, It seems that this CVEs are still in the database which also block our release. So I want to know is there any workaround to skip this issue ? Thanks |
|
Someone needs to file proper, per-CVE issues, outlining the actual problem. CVE descriptions are often not good on their own. Work-around also requires understanding of the issue. People should (IMO) stop just filing "Fix CVE-XXXX-YYY" content-free issues: these are not helpful. |
|
Any update for this issue? this is false positive? |
|
@kadinwu My impression is that it is not being actively looked at. If you are interested, feel free to dig in and figure out what this RFC is about. More information about actual details would be helpful for maintainers of relevant libraries. At this, for example, no issues having been filed against Woodstox. |
|
clusterfuzz-testcase-minimized-XmlFuzzer-4554788485857280.txt This is the invalid XML that causes this issue in case anyone wants to try to debug and fix this. Based on #262, many users should probably consider switching to an alternative API/lib - eg XMLInputFactory (StAX parser) that is in the Java runtime - Woodstox is an implementation of this API (but Java runtimes have their own reference impl too). |
|
Thank you for the link @pjfanning. |
|
Hey all, joining this thread by way of github/advisory-database#764 and I'm trying to make sense of it for advisory purposes. @henryrneh have you filed to update the CVEs? If so is there anything public one can follow on that? Do you have complete affected version ranges? Do you plan to aid in fixing the issues? Any timelines for that if so? |
|
There is now an issue and possible PR for Woodstox. So depending on time availability, we might have a fix and then release within next week or so. With all of this I am not sure if XStream is even affected -- doesn't it use defaults that disable DTD handling? Or is this not practical due to backwards-compatibility concerns? -- but it should be possible to resolve these duplicate CVEs relatively soon. |
|
Dear xstream maintainers and users, We have provided detailed information regarding the CVE-2022-40151, please have a look in #314. Regarding CVE-2022-40152, CVE-2022-40153, CVE-2022-40154, CVE-2022-40155, CVE-2022-40156, they are addressed in woodstox in FasterXML/woodstox#157 and they are already fixed in FasterXML/woodstox#159. The update of the 5 CVEs is in progress, and the duplicates will be deleted. |
|
Ok; on Woodstox side issue is and is fixed for releases now going out to Maven Central, Woodstox-core
Once release is out I'll modify description of issue and release notes to mention main CVE. |
|
I've updated the 5 CVEs in the GitHub database to reference |
|
@pjfanning the fix versions should be on there. As for the description; yes I've gone ahead and added some language about DTD parsing. |
|
@henryrneh @darakian Just to make sure:
|
|
We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see Xstream fuzz target. One will remain for Xstream (CVE-2022-40151) which is still open, see #314. |
@cowtowncoder I hadn't planned to remove any of the CVEs, but if @henryrneh plans to revoke them then we will reflect that revocation.
In the github database at least I've tagged the following CVEs with the woodstox package. Happy to correct if I'm wrong or to improve the descriptions if you have suggestions 😃 @henryrneh I've swapped 40151 over to woodstox based on FasterXML/woodstox#160. Was that incorrect? |
|
@darakian Quoting @henryrneh One will remain for Xstream (GHSA-3mq5-fq9h-gj7j) which is still open, see #314. So yes, you made an incorrect change for 40151. 40152-40156 are all the same issue and relate to FasterXML/woodstox#160 |
|
Gotcha. I'll revert that one. @cowtowncoder can you remove or edit the comment |
|
@darakian done. |
|
Greetings...regarding the half-dozen CVEs (40151 through 40156) cited in several comments above: I understand (I think) that these have ultimately been traced to Woodstox, however Prisma Cloud still flags them as relevant to XStream. This is causing audit and release problems for our products (and others, no doubt). So, two questions:
Thanks for all your maintenance efforts...I appreciate how frustrating these issues must be. |
|
@rgemeinhardt-acn please read #304 (comment) there is an issue in xstream still - #314 and this has an unmerged PR |
|
Thanks for all who actively analysed the issued and worked on it. As stated above, I had no spare time left to work on open source and I hope I can spend some now in near future. @henryrneh: Next time you offer "help", please refrain from publishing CVEs with unconfirmed problems and incorrect data, especially if you have been made aware of it. See the comments of @tomabai and @marcelstoer very early in this thread. @darakian: Can you please correct the data for CVE-2022-40151: The vulnerable version is 1.4.18. There is no version 1.5.0, this information is simply rubbish. Concerning a new release: There are more things to fix than just CVE-2022-40151. |
Got you updated 👍 |
Gosh! Sorry, Jon, I got myself confused about the versions. Yes, 1.4.19 is vulnerable. It will be fixed with 1.4.20. :-/ |
|
Haha all good 👍 Got you updated again. Feel free to ping me whenever 1.4.20 goes live and I can update the advisory to suggest the updated version as well 😃 |
|
Hi |
|
I am working on it, but it depends on my spare time. |
|
@henryrneh So, what is the state of CVS-2022-40152 to CVE-2022-40256? Will you revoke them? |
|
@joehni I have requested updates to the CVEs some weeks ago. At Mitre those updates seem to be processed already, see
According to mvnrepository the vulnerabilities are referencing the updated cve.mitre.org Links. |
|
@henryrneh Thanks for cleaning this up! I close this issue now, since #314 tracks the left issue. |
|
@henryrneh CVE-2022-40152 (the woodstox issue) is still linking here from Mitre and NVD, and giving a CPE for x-stream. Can you get it updated to the correct details? |
The origin of CVE-2022-40152 is chaotic at best. It first popped up in x-stream/xstream#304. There was a problem with Woodstox, which was resolved for version 6.4.0 in FasterXML/woodstox#160. Now the CVE is reported on the *API* package, not the implementation. We're safe here and can suppress the CPE as false positive.
Dear xstream maintainers,
Multiple bugs(Stackoverflows) were found during fuzzing by Jazzer in xstream. We would like to provide you with access to the bugs at Google OSS-Fuzz before they get publicly disclosed.
What do we need from you?
We need an email address that is associated with a Google Account as per Accept new projects. In the past we have already contacted you during the onboarding of your project, but the request was rejected or no email was shared with us.
What do you get by sharing your email address?
When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. Each finding will have a crashing input that you can use to easily reproduce the bug.
Attention: All bug details will be made public automatically after the deadline of 90 days has exceeded or after the fix is released. For projects without maintainers we will do our best to support the disclosure process. Depending on our resources we will try to create an issues for every bug in your public issues tracker. In addition, we will request CVEs for security related vulnerabilities.
Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.
Thank you for your reading and hope to hear from you soon!
The text was updated successfully, but these errors were encountered: