Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade packages that have security vulnerabilities. #288

Open
3 tasks
jackson-chris opened this issue Jun 25, 2021 · 4 comments
Open
3 tasks

Upgrade packages that have security vulnerabilities. #288

jackson-chris opened this issue Jun 25, 2021 · 4 comments

Comments

@jackson-chris
Copy link

Several dependencies used by this project have logged security vulnerabilities:

  • CVE: CVE-2020-25649
    • CVSS: 7.5
    • Description: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
    • Severity: high
    • Status: fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4
    • Package Name: com.fasterxml.jackson.core_jackson-databind
    • Link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25649
  • CVE: CVE-2020-28491
    • CVSS: 7.5
    • Description: This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
    • Severity: High
    • Status: fixed in 2.11.4, 2.12.1
    • Package Name: com.fasterxml.jackson.dataformat_jackson-dataformat-cbor
    • Link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28491
  • CVE: PRISMA-2021-0055
    • CVSS: 0
    • Description: Versions <1.13 of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string, the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.
    • Severity: low
    • Status: fixed in 1.13
    • Package Name: commons-codec_commons-codec

Should try and attempt to use the fixed versions of these jars even if the vulnerable code paths are not used in the product to assure consumers the product is vulnerability free.
@mrmadira
Copy link
Collaborator

Hey Christopher!

We just released the 1.1.4 version where the dependency versions have been upgraded. Both of the High ones got fixed in that.

jackson-chris added a commit to jackson-chris/stocator that referenced this issue Jul 2, 2021
@jackson-chris
CODAIT#288. Update dependencies to resolve security issues.
958df20
@jackson-chris
Copy link
Author

Thanks @mrmadira I have opened #289 to address the remaining issues reported by twistlock scans.

@jackson-chris
Copy link
Author

@mrmadira any reason the associated PR for this has yet to be merged?

@mrmadira
Copy link
Collaborator

mrmadira commented Nov 20, 2021
edited
Loading

Can you pls share the relevant findings for twistlock? And what version of tt are you using? Are the findings against 1.1.4 version of the jar? IBM-SDK version / with dependencies etc..?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jackson-chris @mrmadira