Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest version has vulnerable dependency #54

Closed
davidbernick opened this issue Aug 30, 2018 · 8 comments
Closed

Latest version has vulnerable dependency #54

davidbernick opened this issue Aug 30, 2018 · 8 comments
Labels
bug

Comments

@davidbernick
Copy link

According to SourceClear, https://www.sourceclear.com/vulnerability-database/libraries/230, Jackson-databind is vulnerable. Can we use another library?

Jackson-databind is vulnerable to remote code execution (RCE) attacks. Attackers can exploit an incomplete fix of `CVE-2017-7525` to bypass the blacklist when Spring libraries are available on the class path. In order to be vulnerable to this attack, either the use of `@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)` or `@JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS)` or a call to `ObjectMapper.enableDefaultTyping(...)` is needed.
@davidbernick
Copy link
Author

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 too

@kshakir
Copy link

kshakir commented Sep 7, 2018

PR: #55

Will try to figure out CLA stuff, but I'm happy if someone else just makes the modifications too.

kshakir added a commit to broadinstitute/cromwell that referenced this issue Sep 9, 2018
@kshakir
Bumped dependencies.
4eff8dc 
Dependencies still reported out of date via `sbt dependencyUpdates`:
- com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8
  Waiting for aliyun/aliyun-openapi-java-sdk#54
- com.github.pathikrit:better-files : 2.17.1 -> 3.6.0
  Unstable API would probably require multiple changes
- com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0)
  False positive due to version not being SemVer
- com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0)
  False positive due to version not being SemVer
- mysql:mysql-connector-java : 5.1.47 -> 8.0.12
  See notes in Dependencies.scala on changes that would be required by users.
- org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP
  Need more research to know what changed
- org.liquibase:liquibase-core : 3.5.5 -> 3.6.2
  Waiting for https://liquibase.jira.com/browse/CORE-3311
- org.webjars:swagger-ui : 3.2.2 -> 3.18.2
  Unstable API would probably require multiple changes
- software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1
  Waiting for #3909
kshakir added a commit to broadinstitute/cromwell that referenced this issue Sep 9, 2018
@kshakir
Bumped dependencies.
d6cea4b 
Dependencies still reported out of date via `sbt dependencyUpdates`:
- com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8
  Waiting for aliyun/aliyun-openapi-java-sdk#54
- com.github.pathikrit:better-files : 2.17.1 -> 3.6.0
  Unstable API would probably require multiple changes
- com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0)
  False positive due to version not being SemVer
- com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0)
  False positive due to version not being SemVer
- mysql:mysql-connector-java : 5.1.47 -> 8.0.12
  See notes in Dependencies.scala on changes that would be required by users.
- org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP
  Need more research to know what changed
- org.liquibase:liquibase-core : 3.5.5 -> 3.6.2
  Waiting for https://liquibase.jira.com/browse/CORE-3311
- org.webjars:swagger-ui : 3.2.2 -> 3.18.2
  Unstable API would probably require multiple changes
- software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1
  Waiting for #3909
kshakir added a commit to broadinstitute/cromwell that referenced this issue Sep 9, 2018
@kshakir
Bumped dependencies.
b816683 
Bypass Mockito error "Cannot cast to primitive type" on classes also modified due to use of Refined.
Dependencies still reported out of date via `sbt dependencyUpdates`:
- com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8
  Waiting for aliyun/aliyun-openapi-java-sdk#54
- com.github.pathikrit:better-files : 2.17.1 -> 3.6.0
  Unstable API would probably require multiple changes
- com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0)
  False positive due to version not being SemVer
- com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0)
  False positive due to version not being SemVer
- mysql:mysql-connector-java : 5.1.47 -> 8.0.12
  See notes in Dependencies.scala on changes that would be required by users.
- org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP
  Need more research to know what changed
- org.liquibase:liquibase-core : 3.5.5 -> 3.6.2
  Waiting for https://liquibase.jira.com/browse/CORE-3311
- org.webjars:swagger-ui : 3.2.2 -> 3.18.2
  Unstable API would probably require multiple changes
- software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1
  Waiting for #3909
kshakir added a commit to broadinstitute/cromwell that referenced this issue Sep 9, 2018
@kshakir
Bumped dependencies.
8bff51f 
Bypass Mockito error "Cannot cast to primitive type" on classes also modified due to use of Refined.
Dependencies still reported out of date via `sbt dependencyUpdates`:
- com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8
  Waiting for aliyun/aliyun-openapi-java-sdk#54
- com.github.pathikrit:better-files : 2.17.1 -> 3.6.0
  Unstable API would probably require multiple changes
- com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0)
  False positive due to version not being SemVer
- com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0)
  False positive due to version not being SemVer
- mysql:mysql-connector-java : 5.1.47 -> 8.0.12
  See notes in Dependencies.scala on changes that would be required by users.
- org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP
  Need more research to know what changed
- org.liquibase:liquibase-core : 3.5.5 -> 3.6.2
  Waiting for https://liquibase.jira.com/browse/CORE-3311
- org.webjars:swagger-ui : 3.2.2 -> 3.18.2
  Unstable API would probably require multiple changes
- software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1
  Waiting for #3909
@kshakir kshakir mentioned this issue Sep 9, 2018
Merged
kshakir added a commit to broadinstitute/cromwell that referenced this issue Sep 10, 2018
@kshakir
Bumped dependencies.
c252d9b 
Bypass Mockito error "Cannot cast to primitive type" on classes also modified due to use of Refined.
Dependencies still reported out of date via `sbt dependencyUpdates`:
- com.aliyun:aliyun-java-sdk-core : 3.6.0 -> 3.7.1 -> 4.0.8
  Waiting for aliyun/aliyun-openapi-java-sdk#54
- com.github.pathikrit:better-files : 2.17.1 -> 3.6.0
  Unstable API would probably require multiple changes
- com.google.apis:google-api-services-cloudkms : v1-rev63-1.25.0 -> InvalidVersion(v1beta1-rev6-1.22.0)
  False positive due to version not being SemVer
- com.google.apis:google-api-services-genomics : v2alpha1-rev31-1.25.0 -> InvalidVersion(v2alpha1-rev9-1.23.0)
  False positive due to version not being SemVer
- mysql:mysql-connector-java : 5.1.47 -> 8.0.12
  See notes in Dependencies.scala on changes that would be required by users.
- org.broadinstitute.dsde.workbench:workbench-google : 0.15-2fc79a3 -> 0.15-ff73de5-SNAP -> 0.100-f9bd914-SNAP -> 1.0-e8e6ff0-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-model : 0.10-6800f3a -> 0.10-ff73de5-SNAP -> 0.12-e24d5a6-SNAP
  Need more research to know what changed
- org.broadinstitute.dsde.workbench:workbench-util : 0.3-f3ce961 -> 0.3-ff937c4-SNAP
  Need more research to know what changed
- org.liquibase:liquibase-core : 3.5.5 -> 3.6.2
  Waiting for https://liquibase.jira.com/browse/CORE-3311
- org.webjars:swagger-ui : 3.2.2 -> 3.18.2
  Unstable API would probably require multiple changes
- software.amazon.awssdk:aws-sdk-java : 2.0.0-preview-9 -> 2.0.1
  Waiting for #3909
@Qingtang-SDK
Copy link
Contributor

Please show us why this issue is related to aliyun-openapi-java-sdk and re-open this issue. Thank you.

@geoffjentry
Copy link

Hi @Qingtang-SDK - as you can see in #55 aliyun-openapi-java-sdk embeds the vulnerable version of Jackson. The PR #55 resolves that by upgrading Jackson to a version which does not have the security vulnerability.

@Qingtang-SDK Qingtang-SDK reopened this Oct 31, 2018
@Qingtang-SDK
Copy link
Contributor

Hi, @geoffjentry Thanks for your feedback, and thank you for your contribution to this SDK. I apologize for closing this issue without carefully checking. We tried your pull request, and unfortunately, some functional test cases were failed with it. Now we are trying to find a JSON library which is secure and compatible with our SDK.

We will fix this issue as soon as possible, and keep you informed. Thank you, and we are sorry for your inconvenience. If you have any question, please let us know how to help.

@Qingtang-SDK
Copy link
Contributor

Qingtang-SDK commented Nov 5, 2018
edited

Hi, @kshakir @geoffjentry @davidbernick Thanks for your patient. We have changed our JSON library dependency from jackson-mapper-dsl 1.9.13 to jackson-databind 2.9.7, in the newest repo of master branch, and aliyun-java-sdk-batchcompute 6.0.0 on maven. All tests have been passed.

Thanks again for your great patient. Please take a look. If you have any question, please don't hesitate to let us know.

@kshakir
Copy link

kshakir commented Nov 6, 2018

This looks great! We have tests to run on our side I believe this particular issue can now be marked as closed.

FYI for others that may come across this issue, there is still transitive dependency on the same vulnerable Jackson 1.x library over in the OSS Java SDK, but that one is easier to work around using dependency exclusions.

@JacksonTian
Copy link
Contributor

Let's close this issue now. Thanks all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JacksonTian @kshakir @geoffjentry @davidbernick @Qingtang-SDK