Uploaded image for project: 'Service Design and Creation'
  1. Service Design and Creation
  2. SDC-3795

Analyse vulnerable dependency versions in SDC

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Medium Medium
    • Jakarta Release
    • None
    • SDC
    • None

      Vulnerability scans of SDC have found some vulnerable 3pp versions. Creating this task for analysis of these versions. Is it possible to update/remove them, or does sdc even use the vulnerable functionality

      Vulnerable versions
      Jsoup
      org.jsoup:jsoup:1.8.3
      (in catalog-fe/onboarding-be war)
      CVE-2021-37714
      Fix version: 1.14.2

      Netty
      io.netty:netty-codec:4.1.66.Final (in onboarding-be war)
      CVE-2021-37136, CVE-2021-37137
      fix version: 4.1.68.Final

      Gson
      com.google.code.gson:gson:2.3.1 (in catalog-fe war)
      Xray-188794(no cve id)
      fix version: 2.8.9

      Chef 13.8.5 (Dockerfiles)
      CVE-2015-8559
      fix:15.4.45

      JNA
      net.java.dev.jna:jna 4.2.2 (in onboarding-be war)
      Xray-114349(no cve id)
      (fix is 5.10.0)

      Lucene
      org.apache.lucene:lucene-core:3.0.3 (catalog-be war)
      Xray-86119(no cve id)
      Fix:3.6.0

      org.apache.httpcomponents:httpclient-cache:4.5.3 (catalog-be)
      Xray-84107(no cve id)
      Fix versions: 4.5.9, 5.0-beta4-RC1

      commons-beanutils-1.9.2 (asdctool-1.9.0-SNAPSHOT-jar-with-dependencies.jar)
      CVE-2019-10086
      (fix: 1.9.4)

      jackson-databind-2.9.4 (asdctool-1.9.0-SNAPSHOT-jar-with-dependencies.jar)
      64 different vulnerabilities
      (Fix: 2.9.10.7)
      Locations:
      catalog-be.war:WEB-INF/lib/gremlin-shaded-3.3.3.jar:jackson-databind)
      asdctool-1.9.0-SNAPSHOT-jar-with-dependencies.jar:jackson-databind

      jetty-io-9.3.12.v20160915
      (In asdctool-1.9.0-SNAPSHOT-jar-with-dependencies, catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
      13 vulnerabilities
      (Fix:9.4.29 or higher)
      Also jetty-server and jetty-webapp

      Quite a few in backend service coming from dme2-3.1.200-oss.jar
      commons-beanutils-1.9.2 (in catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
      commons-collections-3.2.1 (in catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
      hazelcast-3.7.2 (catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar:hazelcast)
      commons_collections-3.2.1 (catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
      jetty* 9.3.12.v20160915 ( in catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)

      No fixed versions available yet

      slf4j 1.7.25
      (catalog-fe-1.9.0-SNAPSHOT.war:WEB-INF/lib/slf4j-api-1.7.25.jar
      (No Fix)

      geronimo-1.1.1
      onboarding-be-1.9.0-SNAPSHOT.war file WEB-INF/lib/geronimo-jta_1.1_spec-1.1.1.jar
      (No Fix)
      CVE-2011-5034

      org.apache.tinkerpop:gremlin-core(org.apache.tinkerpop:gremlin-core:3.3.3)
      (No fix)

      hazelcast-3.7.2
      (no fix version)

      Pip pip:20.2.3 *disputed cve*
      CVE-2018-20225
      (No fix + might not be an issue)

       

            vasraz vasraz
            vasraz vasraz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: