search

OSSIndex / vulns

Report missing advisories and corrections on OSS Index
17 stars 12 forks source link

Bug: https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348 #316

Closed albertwangnz closed 1 year ago

albertwangnz commented 1 year ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348

Component URL

https://ossindex.sonatype.org/component/pkg:maven/xerces/xercesImpl

Description OWASP Dependency-Check reports a published vulnerability CVE-2017-10355 (OSSINDEX). The references include OSSINDEX - [sonatype-2017-0348] CWE-833: Deadlock and OSSIndex - https://blogs.securiteam.com/index.php/archives/3271.

However, the descriptions of CVE-2017-10355 and CWE-833 are very different. And the blog is gone.

Shall I report the incorrect vulnerability ID here or to OWASP Dependency-Check?

The related discussion in jeremylong / DependencyCheck.

Thank you.

Regards, Albert

albertylw commented 1 year ago

According to https://github.com/jeremylong/DependencyCheck/issues/4614#issuecomment-1202512166, the CVE-2017-10355 is a vulnerability that OSSINDEX returns on the API call as applicable for the xercesImpl library. However, looks like xercesImpl is not subject to CVE-2017-10355.

Thank you.

aikebah commented 1 year ago

Appears to be corruption with an invalid cve value in the OSSINDEX vulnerability-data:

{
  "coordinates": "pkg:maven/xerces/xercesImpl@2.12.2",
  "description": "Xerces2 is the next generation of high performance, fully compliant XML parsers in the\n    Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),\n    a complete framework for building parser components and configurations that is extremely\n    modular and easy to program.",
  "reference": "https://ossindex.sonatype.org/component/pkg:maven/xerces/xercesImpl@2.12.2?utm_source\u003ddependency-check\u0026utm_medium\u003dintegration\u0026utm_content\u003d7.1.1",
  "vulnerabilities": [
    {
      "id": "sonatype-2017-0348",
      "displayName": "sonatype-2017-0348",
      "title": "[sonatype-2017-0348] CWE-833: Deadlock",
      "description": "sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)\n\nThe software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.",
      "cvssScore": 5.9,
      "cvssVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "cwe": "CWE-833",
      "cve": "CVE-2017-10355",
      "reference": "https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type\u003dmaven\u0026component-name\u003dxerces%2FxercesImpl\u0026utm_source\u003ddependency-check\u0026utm_medium\u003dintegration\u0026utm_content\u003d7.1.1",
      "externalReferences": [
        "https://blogs.securiteam.com/index.php/archives/3271"
      ]
    }
  ]
}

Is the cached vulnerability result

albertwangnz commented 1 year ago

The CVE-2017-10355 is not for xercesImpl but for Java. The xerceslmpl's vulnerability is actually sonatype-2017-0348 and/or SNYK-JAVA-XERCES-31497. The Snyk entry indicates that xercesImpl 2.11.0 is patched for the vulnerability. The OSSINDEX entry indicates that xercesImpl 2.12.2 is still subject to the vulnerability, but the reference blog has been removed.

Can anybody in the OSSINDEX verify the status of sonatype-2017-0348? Is that still a valid issue or not?

ken-duck commented 1 year ago

Sorry for the delay. We are still working on developing processes to handle issues, and I have been away for a while (catching up now)!

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

albertwangnz commented 1 year ago

Hi @ken-duck , thank you for your update.

Albert

albertwangnz commented 1 year ago

Hi @ken-duck , is there any update about this one?

Thank you.

Regards, Albert

ken-duck commented 1 year ago

I am emailing you more detailed information pending the coding updates we have underway that will make the detailed data available to all OSS Index users.

albertwangnz commented 1 year ago

Reply from ken-duck

For sonatype-2017-0348:

Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity() method in the XMLEntityManager class lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in the expandedSystemId object, and used to instantiate a URLConnection. Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in a CLOSE_WAIT status. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource.

NOTE: This vulnerability was assigned CVE-2017-10355.

Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x).

albertwangnz commented 1 year ago

I got enough information about this issue. So I will close it.