Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix #15865

Closed
mn-mikke opened this issue Oct 24, 2023 · 0 comments · Fixed by #15866
Closed

Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix #15865

mn-mikke opened this issue Oct 24, 2023 · 0 comments · Fixed by #15866
Assignees
Milestone

Comments

@mn-mikke
Copy link
Collaborator

Support ticket: https://support.h2o.ai/a/tickets/106681

Reported vulnerability:

— Use After Free [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422] in com.github.jnr:jnr-posix@3.0.23
    introduced by unknown:/opt/.venv/lib/python3.11/site-packages/h2o/backend/bin/h2o.jar@unknown > com.github.jnr:jnr-posix@3.0.23

It looks that com.github.jnr:jnr-posix dependency is brought to h2o.jar via org.python:jython. Although gradle doesn't see the dependency:

./gradlew :h2o-assemblies:main:dependencyInsight --dependency jnr-posix --configuration runtimeClasspath

> Task :h2o-assemblies:main:dependencyInsight
No dependencies matching given input were found in configuration ':h2o-assemblies:main:runtimeClasspath'

jnr-posix seems to be jython dependency. From META-INF/maven/com.github.jnr/jnr-posix/pom.properties inside Jython jar:

#Generated by Maven
#Thu Nov 12 15:35:48 CST 2015
version=3.0.23
groupId=com.github.jnr
artifactId=jnr-posix
@mn-mikke mn-mikke added this to the 3.44.0.2 milestone Oct 24, 2023
@mn-mikke mn-mikke self-assigned this Oct 24, 2023
mn-mikke added a commit that referenced this issue Oct 30, 2023
…-posix (overriding org.python.core.imp class from Jython with custom changes, search for CUSTOM CHANGE) (#15866)

* [GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix

* Override jython class

* Add Jython version check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment