chadlwilson
commented
1 year ago Closed albertwangnz closed 1 year ago
chadlwilson
commented
1 year ago chadlwilson
commented
1 year ago Hi @albertwangnz since you've closed the issue has this actually been fixed in the OSSindex data?
EugenMayer
commented
1 year ago IMHO it is not
albertwangnz
commented
1 year ago Hi @albertwangnz since you've closed the issue has this actually been fixed in the OSSindex data?
It is not. Sorry, I just reopened.
chadlwilson
commented
1 year ago Unfortunately sonatype don't seem to actually be looking at these community reports despite the requests to report here. Not sure what is up with that.
ken-duck
commented
1 year ago Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The
snakeyamlpackage is vulnerable to a Denial of Service (DoS) attack. ThefillRecursive()method in theBaseConstructorclass fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to aStackOverflowError.Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable
allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
albertwangnz
commented
1 year ago Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The
snakeyamlpackage is vulnerable to a Denial of Service (DoS) attack. ThefillRecursive()method in theBaseConstructorclass fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to aStackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enableallowRecursiveKeys.Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues https://github.com/OSSIndex/vulns/issues/316 and https://github.com/OSSIndex/vulns/issues/331. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards, Albert
ken-duck
commented
1 year ago I will try and dig out the notices for those ones today. I’ll add them to the raised issues themselves.
Ken
On Oct 20, 2022, at 6:26 PM, Albert Wang @.***> wrote:
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck https://github.com/ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues #316 https://github.com/OSSIndex/vulns/issues/316 and #331 https://github.com/OSSIndex/vulns/issues/331. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards, Albert
— Reply to this email directly, view it on GitHub https://github.com/OSSIndex/vulns/issues/328#issuecomment-1286173212, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4. You are receiving this because you were mentioned.
ken-duck
commented
1 year ago Hi Albert. I am emailing you the details until the coding is done to make all this data public…
For sonatype-2017-0348:
Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity() method in the XMLEntityManager class lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in the expandedSystemId object, and used to instantiate a URLConnection. Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in a CLOSE_WAIT status. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource.
NOTE: This vulnerability was assigned CVE-2017-10355.
…
Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x).
For sonatype-2022-2249:
The styled-components package has an Unintended Behavior. The postinstall.js file looks for users using a ru time-zone to show a political protest message using the console.warn() function. Also, the absence of this file in the 5.3.4 version causes a crash when the package is installed.
I hope these details help.
Ken
On Oct 20, 2022, at 6:26 PM, Albert Wang @.***> wrote:
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck https://github.com/ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues #316 https://github.com/OSSIndex/vulns/issues/316 and #331 https://github.com/OSSIndex/vulns/issues/331. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards, Albert
— Reply to this email directly, view it on GitHub https://github.com/OSSIndex/vulns/issues/328#issuecomment-1286173212, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4. You are receiving this because you were mentioned.
albertwangnz
commented
1 year ago Hi Albert. I am emailing you the details until the coding is done to make all this data public… For sonatype-2017-0348: Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The
setupCurrentEntity()method in theXMLEntityManagerclass lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in theexpandedSystemIdobject, and used to instantiate aURLConnection. Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in aCLOSE_WAITstatus. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource. NOTE: This vulnerability was assigned CVE-2017-10355. … Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x). For sonatype-2022-2249: Thestyled-componentspackage has an Unintended Behavior. Thepostinstall.jsfile looks for users using arutime-zone to show a political protest message using theconsole.warn()function. Also, the absence of this file in the 5.3.4 version causes a crash when the package is installed. I hope these details help. Ken … On Oct 20, 2022, at 6:26 PM, Albert Wang @.***> wrote: Sorry for the delay. We are working hard at getting some new data visible for OSS Index users. Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish). Here is the official text for this vulnerability: The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys. Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out. Hi @ken-duck https://github.com/ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way. But is that possible if you could also help to share the deviation notice information with the issues #316 <#316> and #331 <#331>. Without a piece of further information, we don't know how can we process those two issues. Thank you. Regards, Albert — Reply to this email directly, view it on GitHub <#328 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4. You are receiving this because you were mentioned.
Thanks a lot for your so kind help, @ken-duck !
Regards, Albert
marcelstoer
commented
1 year ago @ken-duck I don't understand how the details you reported above are related to the issue here.
Furthermore, I suggest you further analyze what @chadlwilson posted at https://github.com/jeremylong/DependencyCheck/issues/4919#issuecomment-1279680785.
If you (i.e. Sonatype) stick to the earlier assessment that
The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable
allowRecursiveKeys.
then I'm afraid this won't ever be resolved. If you enable allowRecursiveKeys then - in order to be spec compliant - any YAML library will have to give you exactly that: recursion. Then, whoever enabled that feature is responsible for the consequences. MITRE/NIST understand that and updated the CVE accordingly.
chadlwilson
commented
1 year ago Seems they have re-assessed this as both 1.32 and 1.33 are no longer considered to have any vulnerabilities, so think this can be closed now.
https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
albertwangnz
commented
1 year ago Seems they have re-assessed this as both
1.32and1.33are no longer considered to have any vulnerabilities, so think this can be closed now.https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
Thank you, @chadlwilson . I just noticed this message. Will close this issue.
Vulnerability URL https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml/snakeyaml
Component URL https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
Description According to both the developers and NVD, this CVE was fixed in SnakeYAML 1.32, but is still being reported against it by OSSINDEX.
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081 https://github.com/jeremylong/DependencyCheck/issues/4839 https://nvd.nist.gov/vuln/detail/CVE-2022-38752