Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33 #24506

Closed
1 task done
mvk37 opened this issue Nov 2, 2023 · 4 comments
Closed
1 task done

Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33 #24506

mvk37 opened this issue Nov 2, 2023 · 4 comments
Labels
area/dependencies kind/bug Categorizes a PR related to a bug team/cloud-native
Milestone
24.0.0

Comments

@mvk37
Copy link

mvk37 commented Nov 2, 2023

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

dependencies

Describe the bug

Two previous attempts to upgrade to Connector/J to 8.0.33 wasn't successful.

#21199
#23366

Keycloak 22.0.5 still contains mysql.mysql-connector-java-8.0.30.jar. Could you update it to 8.0.33 in next release?

Version

22.0.5

Expected behavior

Connector/J 8.0.33 or higher

Actual behavior

Connector/J 8.0.30

How to Reproduce?

Check folder lib\lib\main in Keycloak 22.0.5 distribution

Anything else?

No response
@mvk37 mvk37 added kind/bug Categorizes a PR related to a bug status/triage labels Nov 2, 2023
@abstractj
Copy link
Contributor

@mvk37 could you please provide some evidence from security scanners? The report below does not report any vulnerable dependencies:

 ❯ trivy image --timeout 25m quay.io/keycloak/keycloak:22.0.5
2023-11-06T18:38:34.462-0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-11-06T18:38:34.462-0300    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-11-06T18:38:34.462-0300    INFO    Detected OS: redhat
2023-11-06T18:38:34.462-0300    WARN    This OS version is not on the EOL list: redhat 9
2023-11-06T18:38:34.462-0300    INFO    Detecting RHEL/CentOS vulnerabilities...
2023-11-06T18:38:34.462-0300    INFO    Number of PL dependency files: 409
2023-11-06T18:38:34.462-0300    INFO    Detecting jar vulnerabilities...
2023-11-06T18:38:34.480-0300    WARN    This OS version is no longer supported by the distribution: redhat 9.2
2023-11-06T18:38:34.480-0300    WARN    The vulnerability detection may be insufficient because security updates are not provided

quay.io/keycloak/keycloak:22.0.5 (redhat 9.2)
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@mvk37
Copy link
Author

mvk37 commented Nov 6, 2023

This is the issue: https://nvd.nist.gov/vuln/detail/CVE-2023-21971 It exists in Connector/J 8.0.32 and prior.

This is jar in Keycloak 22.0.5 distribution: lib/lib/main/mysql.mysql-connector-java-8.0.30.jar

@abstractj
Copy link
Contributor

abstractj commented Nov 10, 2023
edited

@mvk37 now I see the problem. The dependency, you mentioned, was updated as part of Keycloak. Although, we also have mysql-connector-java as a transitive dependency coming from Quarkus:

[INFO] | | +- io.quarkus:quarkus-jdbc-mysql:jar:3.2.7.Final:compile
[INFO] | | | - mysql:mysql-connector-java:jar:8.0.30:compile

It should be fixed by quarkusio/quarkus#37018

@shawkins shawkins mentioned this issue Feb 5, 2024
Merged
@shawkins shawkins added this to the 24.0.0 milestone Feb 5, 2024
@shawkins
Copy link
Contributor

shawkins commented Feb 5, 2024

Closed by updating quarkus - #26150

#24506 will address our test dependency on mysql's driver.

@shawkins shawkins closed this as completed Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dependencies kind/bug Categorizes a PR related to a bug team/cloud-native
Projects
None yet
Milestone
24.0.0
Development

No branches or pull requests
3 participants
@abstractj @shawkins @mvk37