search

OxalisCommunity / Oxalis-AS4

PEPPOL AS4 pMode plugin for Oxalis
32 stars 25 forks source link

Snyk and Trivy reports two vulnerabilities in the CXF version Oxalis-AS4 uses #198

Closed post-svejk closed 1 year ago

post-svejk commented 1 year ago

See for example:

Sven-Jrgens-MacBook-Pro:Oxalis-AS4 svejk$ snyk test

Testing /Users/svejk/src/Oxalis-AS4...

Tested 80 dependencies for known issues, found 4 issues, 4 vulnerable paths.

Issues to fix by upgrading:

  Upgrade org.apache.cxf:cxf-core@3.3.8 to org.apache.cxf:cxf-core@3.4.10 to fix
  ✗ Server-side Request Forgery (SSRF) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECXF-3168315] in org.apache.cxf:cxf-core@3.3.8
    introduced by org.apache.cxf:cxf-core@3.3.8

  Upgrade org.apache.cxf:cxf-rt-transports-http@3.3.8 to org.apache.cxf:cxf-rt-transports-http@3.4.10 to fix
  ✗ Information Exposure (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECXF-3168313] in org.apache.cxf:cxf-rt-transports-http@3.3.8
    introduced by org.apache.cxf:cxf-rt-transports-http@3.3.8

  Upgrade org.apache.wss4j:wss4j-ws-security-common@2.2.7 to org.apache.wss4j:wss4j-ws-security-common@2.4.0 to fix
  ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135] in com.fasterxml.woodstox:woodstox-core@5.0.3
    introduced by org.apache.wss4j:wss4j-ws-security-common@2.2.7 > org.apache.santuario:xmlsec@2.1.7 > com.fasterxml.woodstox:woodstox-core@5.0.3
  ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] in com.fasterxml.woodstox:woodstox-core@5.0.3
    introduced by org.apache.wss4j:wss4j-ws-security-common@2.2.7 > org.apache.santuario:xmlsec@2.1.7 > com.fasterxml.woodstox:woodstox-core@5.0.3

I made a draft attempt to solve the issues by upgrading CXF and WSS4J. See the PR: https://github.com/OxalisCommunity/Oxalis-AS4/pull/197

post-svejk commented 1 year ago

Thanks for the quick response, @aaron-kumar! Dealing with the signature algorithm was really what I was missing in my draft PR, so it is no longer needed. However, I ran into new signature algorithm problems when testing this release. See next issue.