Closed albertwangnz closed 1 year ago
Hi @albertwangnz since you've closed the issue has this actually been fixed in the OSSindex data?
IMHO it is not
Hi @albertwangnz since you've closed the issue has this actually been fixed in the OSSindex data?
It is not. Sorry, I just reopened.
Unfortunately sonatype don't seem to actually be looking at these community reports despite the requests to report here. Not sure what is up with that.
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The
snakeyaml
package is vulnerable to a Denial of Service (DoS) attack. ThefillRecursive()
method in theBaseConstructor
class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to aStackOverflowError
.Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable
allowRecursiveKeys
.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The
snakeyaml
package is vulnerable to a Denial of Service (DoS) attack. ThefillRecursive()
method in theBaseConstructor
class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to aStackOverflowError
. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enableallowRecursiveKeys
.Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues https://github.com/OSSIndex/vulns/issues/316 and https://github.com/OSSIndex/vulns/issues/331. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards, Albert
I will try and dig out the notices for those ones today. I’ll add them to the raised issues themselves.
Ken
On Oct 20, 2022, at 6:26 PM, Albert Wang @.***> wrote:
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck https://github.com/ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues #316 https://github.com/OSSIndex/vulns/issues/316 and #331 https://github.com/OSSIndex/vulns/issues/331. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards, Albert
— Reply to this email directly, view it on GitHub https://github.com/OSSIndex/vulns/issues/328#issuecomment-1286173212, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4. You are receiving this because you were mentioned.
Hi Albert. I am emailing you the details until the coding is done to make all this data public…
For sonatype-2017-0348:
Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity()
method in the XMLEntityManager
class lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in the expandedSystemId
object, and used to instantiate a URLConnection
. Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in a CLOSE_WAIT
status. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource.
NOTE: This vulnerability was assigned CVE-2017-10355.
…
Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x).
For sonatype-2022-2249:
The styled-components
package has an Unintended Behavior. The postinstall.js
file looks for users using a ru
time-zone to show a political protest message using the console.warn()
function. Also, the absence of this file in the 5.3.4 version causes a crash when the package is installed.
I hope these details help.
Ken
On Oct 20, 2022, at 6:26 PM, Albert Wang @.***> wrote:
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck https://github.com/ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues #316 https://github.com/OSSIndex/vulns/issues/316 and #331 https://github.com/OSSIndex/vulns/issues/331. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards, Albert
— Reply to this email directly, view it on GitHub https://github.com/OSSIndex/vulns/issues/328#issuecomment-1286173212, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4. You are receiving this because you were mentioned.
Hi Albert. I am emailing you the details until the coding is done to make all this data public… For sonatype-2017-0348: Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The
setupCurrentEntity()
method in theXMLEntityManager
class lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in theexpandedSystemId
object, and used to instantiate aURLConnection
. Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in aCLOSE_WAIT
status. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource. NOTE: This vulnerability was assigned CVE-2017-10355. … Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x). For sonatype-2022-2249: Thestyled-components
package has an Unintended Behavior. Thepostinstall.js
file looks for users using aru
time-zone to show a political protest message using theconsole.warn()
function. Also, the absence of this file in the 5.3.4 version causes a crash when the package is installed. I hope these details help. Ken … On Oct 20, 2022, at 6:26 PM, Albert Wang @.***> wrote: Sorry for the delay. We are working hard at getting some new data visible for OSS Index users. Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish). Here is the official text for this vulnerability: The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError. Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys. Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out. Hi @ken-duck https://github.com/ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way. But is that possible if you could also help to share the deviation notice information with the issues #316 <#316> and #331 <#331>. Without a piece of further information, we don't know how can we process those two issues. Thank you. Regards, Albert — Reply to this email directly, view it on GitHub <#328 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4. You are receiving this because you were mentioned.
Thanks a lot for your so kind help, @ken-duck !
Regards, Albert
@ken-duck I don't understand how the details you reported above are related to the issue here.
Furthermore, I suggest you further analyze what @chadlwilson posted at https://github.com/jeremylong/DependencyCheck/issues/4919#issuecomment-1279680785.
If you (i.e. Sonatype) stick to the earlier assessment that
The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable
allowRecursiveKeys
.
then I'm afraid this won't ever be resolved. If you enable allowRecursiveKeys
then - in order to be spec compliant - any YAML library will have to give you exactly that: recursion. Then, whoever enabled that feature is responsible for the consequences. MITRE/NIST understand that and updated the CVE accordingly.
Seems they have re-assessed this as both 1.32
and 1.33
are no longer considered to have any vulnerabilities, so think this can be closed now.
https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
Seems they have re-assessed this as both
1.32
and1.33
are no longer considered to have any vulnerabilities, so think this can be closed now.https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
Thank you, @chadlwilson . I just noticed this message. Will close this issue.
Vulnerability URL https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml/snakeyaml
Component URL https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
Description According to both the developers and NVD, this CVE was fixed in SnakeYAML 1.32, but is still being reported against it by OSSINDEX.
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081 https://github.com/jeremylong/DependencyCheck/issues/4839 https://nvd.nist.gov/vuln/detail/CVE-2022-38752