Published Critical vulnerabilities in kurento utils

[RobotnickIsrael]

Kurento-utils js client, for some reason has jar files in it. In them you can find sdp-translator, which uses "xstream".

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

In addition, kurento utils has old "log4j", "maven-shared-util and "maven-shared-utils", all of whom has known and published vulnerabilities the sonar cube marks as critical.

Now I'm guessing it's not even used (since they are jar files in a js application), so maybe it's possible to just take them out? Or update their versions to the fixed ones?

[github-actions[bot]]

Hello @RobotnickIsrael! :wave: we're sorry you found a bug... so first of all, thank you very much for reporting it.

However, your report doesn't follow the issue template, so it is being automatically closed. We are really sorry for that, but we need all reports to follow the template, or else it won't be possible to understand and help with all issues.

Please, create a new issue following the template, or reopen this same issue to edit and provide all required information.

[j1elo]

Kurento-utils js client, for some reason has jar files in it.

I don't see that kurento-utils-js (NPM package kurento-utils) has any jar file itself. Can you please point to what you mean?

But yes, it does depend on sdp-translator, a package that, apart from its JavaScript code, seems to bundle a complete Maven artifact too. sdp-translator is itself actually a renamed build of sdp-interop, an old Jitsi package. The fact that it includes both JS and Java modules leads me to think that its developers thought of making a single package that could be used for both platforms, albeit it seems to me a pretty arguable decision.

I do not think the vulnerability applies here, because as you mentioned, JS code will not end up invoking the vulnerable Java dependency. And in any case, there is not much that can be done. This is a summary of the situation:

• sdp-translator is a derived, renamed version of sdp-interop, an old Jitsi package that has since been moved.
• The source repository for sdp-translator was https://github.com/Kurento/sdp-translator-js, which doesn't exist any more, and there is no documentation at all about the reasons (very helpful, thanks guys).
• Currently, kurento-utils depends on sdp-translator ^0.1.15. But in NPM, the latest version is 0.1.24. I could update the dependency in kurento-utils, if that helps anything. But in any case, that's just delaying the inevitable, sooner or later a new security issue will affect it and then no more up to date versions will exist for this package.
• kurento-utils-js was these past years a source of distractions because there was nobody maintaining it, in a period of time where a lot was happening regarding the WebRTC API. Users would constantly find that the code was missing important new functionality (Transceivers-based API) or ancient methodology (like callbacks everywhere instead of async/await).

For all these reasons, kurento-utils was considered deprecated and it is currently marked as unmaintained, with a big warning on the README page: https://github.com/Kurento/kurento-utils-js. The Kurento JS tutorials still depend on it because they just work, and because there are not enough hands to do the bulk work of removing this dependency and replacing it with adequate calls directly to the WebRTC API. Otherwise, for actual apps, the strong recommendation is to avoid using it.

[RobotnickIsrael]

Hi Juan,

The problematic jar files are in node_modules/sdp-translator/m2/repository/com/thoughworks/xstream/xstream/1.4.3 node_modules/sdp-translator/m2/repository/com/thoughworks/xstream/xstream-parent/1.4.3

Anyway, I checked what you said and you are right, I have imported kurento-utils since thats how it was in the examples, but I never actually used it, and I don't seem to need it at all to work.

Thanks you very much (:

Israel