search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
603 stars 364 forks source link

Indirect dependency to vulnerable Xerces, CVE-2017-10355 #743

Closed lathspell closed 1 year ago

lathspell commented 1 year ago

Describe the bug

OWASP Dependency Check reports:

xercesImpl-2.12.2.jar (pkg:maven/xerces/xercesImpl@2.12.2) : CVE-2017-10355

This is due to an indirect dependency of your library:

 +--- org.owasp.esapi:esapi:2.5.0.0
 |    +--- org.owasp.antisamy:antisamy:1.7.0
 |    |    +--- net.sourceforge.htmlunit:neko-htmlunit:2.63.0
 |    |    |    \--- xerces:xercesImpl:2.12.2

*Specify what ESAPI version(s) you are experiencing this bug in latest

To Reproduce

./gradlew depChAn

kwwall commented 1 year ago

A few things here. First, this is referenced in the ESAPI 2.5.0.0 release notes: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt#L124-L132

CVE-2017-10355 is associated with library xercesImpl-2.12.2.jar, which is a transitive dependency, pulled in via AntiSamy. But based on the CPE, it seems to be a different Xerces jar (see below).

It is a Denial of Service vulnerability with a CVSSv3 score of 5.9.

Both the ESAPI and AntiSamy teams believe that this CVE is a false positive with respect to these 2 projects.

Dependency Check itself doesn't flag this and neither does Snyk. Dependency Check reports it because it is reported directly by Sonatype's OSS Index.

For further details, see https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type=maven&component-name=xerces%2FxercesImpl

The Sonatype OSS Index seems to have the wrong CPE. The Sonatype OSS Index has cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:* whereas the CPE IDs associated with NIST's NVD are cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:* and cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*, which seems to be a different (forked?) Xerces release. We have spoken to Sonatype about this, but they have been unresponsive thus far regarding this. Note however, that Sonatype's flagship commercial SCA product, Nexus IQ, does not show this CVE for either ESAPI 2.5.0.0 or for AntiSamy 1.7.0. If it did, perhaps we would have more leverage to get it corrected. It is also not flagged as a vulnerability in https://mvnrepository.com/artifact/xerces/xercesImpl.

Note also that this has been reported as GitHub issue # 4614 in Dependency Check: https://github.com/jeremylong/DependencyCheck/issues/4614

Lastly, there is nothing that we can do to fix this as 2.12.2 is the latest version of Xerces implementation released.

If you believe it might be helpful to call this out more specifically in Vulnerability-Summary.md (let me know in a follow-up comment), I can do that on the next ESAPI release, but otherwise, I am marking this closed as a False Positive of whatever SCA tool that you are using.