search

Apicurio / apicurio-registry

An API/Schema registry - stores APIs and Schemas.
https://www.apicur.io/registry/
Apache License 2.0
594 stars 264 forks source link

Security: Resteasy vulnerabilities #1808

Closed tomasAlabes closed 2 years ago

tomasAlabes commented 3 years ago

Apicurio v2.1.0.RC1 (and before) is using resteasy libraries with version 4.5.9.Final, which have some vulnerabilities reported: https://www.cvedetails.com/vulnerability-list/vendor_id-25/product_id-23627/Redhat-Resteasy.html

https://www.cvedetails.com/cve/CVE-2021-20293/ https://www.cvedetails.com/cve/CVE-2021-20289/

The dependency has to be upgraded to 4.6.0.Final.

If quarkus gets updated to 2.x.x both #1807 and this will get updated to the non-vulnerable versions. Tried with quarkus 2.0.3.Final (2.2.1.Final is the latest).

Dependencies taken from apicurio-registry-storage 2.1.0.RC1 with mvn -Pprod dependency:list -DskipTests

tomasAlabes commented 3 years ago

Update after 2.1.0.Final: resteasy vulnerabilities are still there, coming with org.keycloak:keycloak-admin-client:jar:14.0.0:compile. See dependency tree generated using 

./mvnw -Pprod dependency:tree  -DskipTests -pl serdes/avro-serde -Pkafkasql -Dscope=runtime
[INFO] ----------< io.apicurio:apicurio-registry-serdes-avro-serde >-----------
[INFO] Building apicurio-registry-serdes-avro-serde 2.1.0.Final
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The POM for com.github.java-json-tools:jackson-coreutils:jar:2.0-SNAPSHOT is missing, no dependency information available
[INFO]
[INFO] --- maven-dependency-plugin:3.2.0:tree (default-cli) @ apicurio-registry-serdes-avro-serde ---
[INFO] io.apicurio:apicurio-registry-serdes-avro-serde:jar:2.1.0.Final
[INFO] +- io.apicurio:apicurio-registry-serde-common:jar:2.1.0.Final:compile
[INFO] |  +- io.apicurio:apicurio-registry-client:jar:2.1.0.Final:compile
[INFO] |  |  \- io.apicurio:apicurio-registry-common:jar:2.1.0.Final:compile
[INFO] |  |     +- org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.1_spec:jar:2.0.1.Final:compile
[INFO] |  |     \- io.apicurio:apicurio-common-rest-client-auth:jar:0.0.5.Final:compile
[INFO] |  |        +- io.apicurio:apicurio-common-rest-client-util:jar:0.0.5.Final:compile
[INFO] |  |        +- io.apicurio:apicurio-common-rest-client-jdk:jar:0.0.5.Final:compile
[INFO] |  |        \- org.keycloak:keycloak-admin-client:jar:14.0.0:compile
[INFO] |  |           +- org.keycloak:keycloak-core:jar:12.0.4:compile
[INFO] |  |           +- org.keycloak:keycloak-common:jar:14.0.0:compile
[INFO] |  |           +- org.jboss.resteasy:resteasy-client:jar:4.5.9.Final:compile
[INFO] |  |           |  +- org.jboss.resteasy:resteasy-client-api:jar:4.5.9.Final:compile
[INFO] |  |           |  +- org.jboss.resteasy:resteasy-core-spi:jar:4.5.9.Final:compile
[INFO] |  |           |  |  +- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] |  |           |  |  +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |  |           |  |  \- com.sun.activation:jakarta.activation:jar:1.2.1:compile
[INFO] |  |           |  +- org.jboss.resteasy:resteasy-core:jar:4.5.9.Final:compile
[INFO] |  |           |  |  +- com.ibm.async:asyncutil:jar:0.1.0:compile
[INFO] |  |           |  |  \- io.smallrye.config:smallrye-config:jar:1.11.1:compile
[INFO] |  |           |  |     +- io.smallrye.common:smallrye-common-annotation:jar:1.5.0:compile
[INFO] |  |           |  |     +- io.smallrye.common:smallrye-common-expression:jar:1.5.0:compile
[INFO] |  |           |  |     |  \- io.smallrye.common:smallrye-common-function:jar:1.5.0:compile
[INFO] |  |           |  |     +- io.smallrye.common:smallrye-common-constraint:jar:1.5.0:compile
[INFO] |  |           |  |     +- io.smallrye.common:smallrye-common-classloader:jar:1.5.0:compile
[INFO] |  |           |  |     \- io.smallrye.config:smallrye-config-common:jar:1.11.1:compile
[INFO] |  |           |  +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] |  |           |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |           |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
[INFO] |  |           |  |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |           |  +- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  |           |  \- commons-io:commons-io:jar:2.8.0:compile
[INFO] |  |           +- org.jboss.resteasy:resteasy-multipart-provider:jar:4.5.9.Final:compile
[INFO] |  |           |  +- com.sun.mail:jakarta.mail:jar:1.6.4:compile
[INFO] |  |           |  +- org.apache.james:apache-mime4j-dom:jar:0.8.3:compile
[INFO] |  |           |  |  \- org.apache.james:apache-mime4j-core:jar:0.8.3:compile
[INFO] |  |           |  +- org.apache.james:apache-mime4j-storage:jar:0.8.3:compile
[INFO] |  |           |  \- org.eclipse.microprofile.config:microprofile-config-api:jar:1.4:compile
[INFO] |  |           +- org.jboss.resteasy:resteasy-jackson2-provider:jar:4.5.9.Final:compile
[INFO] |  |           |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.12.1:compile
[INFO] |  |           |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.12.1:compile
[INFO] |  |           |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.1:compile
[INFO] |  |           |  |     \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] |  |           |  \- com.github.java-json-tools:json-patch:jar:1.13:compile
[INFO] |  |           |     +- com.github.java-json-tools:msg-simple:jar:1.2:compile
[INFO] |  |           |     |  \- com.github.java-json-tools:btf:jar:1.3:compile
[INFO] |  |           |     \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile
[INFO] |  |           |        +- com.github.java-json-tools.jackson-coreutils:jackson-coreutils:jar:2.0:compile
[INFO] |  |           |        \- com.github.java-json-tools.jackson-coreutils:jackson-coreutils-equivalence:jar:2.0:compile
[INFO] |  |           |           \- com.google.guava:guava:jar:30.1-jre:runtime
[INFO] |  |           |              +- com.google.guava:failureaccess:jar:1.0.1:runtime
[INFO] |  |           |              +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:runtime
[INFO] |  |           |              +- org.checkerframework:checker-qual:jar:2.5.2:runtime
[INFO] |  |           |              +- com.google.errorprone:error_prone_annotations:jar:2.2.0:runtime
[INFO] |  |           |              \- com.google.j2objc:j2objc-annotations:jar:1.3:runtime
[INFO] |  |           \- org.jboss.resteasy:resteasy-jaxb-provider:jar:4.5.9.Final:compile
[INFO] |  |              +- org.jboss.spec.javax.xml.bind:jboss-jaxb-api_2.3_spec:jar:2.0.0.Final:compile
[INFO] |  |              \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.3-b02:compile
[INFO] |  |                 +- org.glassfish.jaxb:txw2:jar:2.3.3-b02:compile
[INFO] |  |                 \- com.sun.istack:istack-commons-runtime:jar:3.0.10:compile
[INFO] |  \- org.apache.kafka:kafka-clients:jar:2.7.0:compile
[INFO] |     +- com.github.luben:zstd-jni:jar:1.4.5-6:compile
[INFO] |     +- org.lz4:lz4-java:jar:1.7.1:compile
[INFO] |     \- org.xerial.snappy:snappy-java:jar:1.1.7.7:compile
[INFO] \- org.apache.avro:avro:jar:1.10.2:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-core:jar:2.12.1:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.1:compile
[INFO]    |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.1:compile
[INFO]    +- org.apache.commons:commons-compress:jar:1.20:compile
[INFO]    \- org.slf4j:slf4j-api:jar:1.7.30:compile
carlesarnal commented 2 years ago

@tomasAlabes we should be able to close this with 2.2.1.Final

tomasAlabes commented 2 years ago

Closing after verifying in 2.1.1.Final. Thanks!