YanxuanLiu
commented
2 weeks ago /build
Closed YanxuanLiu closed 1 week ago
YanxuanLiu
commented
2 weeks ago /build
github-actions[bot]
commented
2 weeks ago | Component | Vulnerability | Description | Severity |
|---|---|---|---|
| Apache Ivy | CVE-2022-46751 | Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. |
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
|HIGH
Netty Project|CVE-2023-34462|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM
Netty Project|CVE-2023-44487|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH
YanxuanLiu
commented
1 week ago /build
github-actions[bot]
commented
1 week ago | Component | Vulnerability | Description | Severity |
|---|---|---|---|
| Apache Ivy | CVE-2022-46751 | Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. |
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
|HIGH
Netty Project|CVE-2023-34462|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM
Netty Project|CVE-2023-44487|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH
pxLi
commented
1 week ago @YanxuanLiu please add the item to internal exception list and retry thanks
Nic-Ma
commented
1 week ago Hi @Yun @.>, @Yucheng @.>,
Please check this issue report.
Thanks.
发件人: github-actions[bot] @.> 日期: 星期一, 2024年6月24日 09:14 收件人: Project-MONAI/MONAILabel @.> 抄送: Nic Ma @.>, Review requested @.> 主题: Re: [Project-MONAI/MONAILabel] change blossom-ci to ACL security format [skip ci] (PR #1706) 👎 Promotion blocked, new vulnerability found Vulnerability report Component Vulnerability Description Severity Apache Ivy CVE-2022-46751https://github.com/advisories/GHSA-2jc4-r94c-rp7h Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide". |HIGH Netty Project|CVE-2023-34462https://github.com/advisories/GHSA-6mjq-h674-j845|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM Netty Project|CVE-2023-44487https://github.com/advisories/GHSA-qppj-fm5r-hxr3|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH
— Reply to this email directly, view it on GitHubhttps://github.com/Project-MONAI/MONAILabel/pull/1706#issuecomment-2185411772, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGSCAXNK363JNBUU5PPTNBTZI5XGTAVCNFSM6AAAAABJHP6TSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBVGQYTCNZXGI. You are receiving this because your review was requested.Message ID: @.***>
Nic-Ma
commented
1 week ago CC @Mingxin @.***>
发件人: Nic Ma @.> 日期: 星期一, 2024年6月24日 09:51 收件人: Project-MONAI/MONAILabel @.>, Project-MONAI/MONAILabel @.>, Yun Liu @.>, Yucheng Tang @.> 抄送: Review requested @.> 主题: Re: [Project-MONAI/MONAILabel] change blossom-ci to ACL security format [skip ci] (PR #1706) Hi @Yun @.>, @Yucheng @.>,
Please check this issue report.
Thanks.
发件人: github-actions[bot] @.> 日期: 星期一, 2024年6月24日 09:14 收件人: Project-MONAI/MONAILabel @.> 抄送: Nic Ma @.>, Review requested @.> 主题: Re: [Project-MONAI/MONAILabel] change blossom-ci to ACL security format [skip ci] (PR #1706) 👎 Promotion blocked, new vulnerability found Vulnerability report Component Vulnerability Description Severity Apache Ivy CVE-2022-46751https://github.com/advisories/GHSA-2jc4-r94c-rp7h Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide". |HIGH Netty Project|CVE-2023-34462https://github.com/advisories/GHSA-6mjq-h674-j845|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM Netty Project|CVE-2023-44487https://github.com/advisories/GHSA-qppj-fm5r-hxr3|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH
— Reply to this email directly, view it on GitHubhttps://github.com/Project-MONAI/MONAILabel/pull/1706#issuecomment-2185411772, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGSCAXNK363JNBUU5PPTNBTZI5XGTAVCNFSM6AAAAABJHP6TSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBVGQYTCNZXGI. You are receiving this because your review was requested.Message ID: @.***>
YanxuanLiu
commented
1 week ago /build
github-actions[bot]
commented
1 week ago | Component | Vulnerability | Description | Severity |
|---|---|---|---|
| Netty Project | CVE-2023-34462 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final. |
MEDIUM |
| Netty Project | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | HIGH |
Nic-Ma
commented
1 week ago Thanks – the risk seems to be JAVA-related. Any ideas how this may affect MONAI-related projects?
Mingxin
From: Nic Ma @.> Date: Monday, June 24, 2024 at 09:51 To: Project-MONAI/MONAILabel @.>, Project-MONAI/MONAILabel @.>, Yun Liu @.>, Yucheng Tang @.>, Mingxin Zheng @.> Cc: Review requested @.> Subject: Re: [Project-MONAI/MONAILabel] change blossom-ci to ACL security format [skip ci] (PR #1706) CC @Mingxin @.>
发件人: Nic Ma @.> 日期: 星期一, 2024年6月24日 09:51 收件人: Project-MONAI/MONAILabel @.>, Project-MONAI/MONAILabel @.>, Yun Liu @.>, Yucheng Tang @.> 抄送: Review requested @.> 主题: Re: [Project-MONAI/MONAILabel] change blossom-ci to ACL security format [skip ci] (PR #1706) Hi @Yun @.>, @Yucheng @.>,
Please check this issue report.
Thanks.
发件人: github-actions[bot] @.> 日期: 星期一, 2024年6月24日 09:14 收件人: Project-MONAI/MONAILabel @.> 抄送: Nic Ma @.>, Review requested @.> 主题: Re: [Project-MONAI/MONAILabel] change blossom-ci to ACL security format [skip ci] (PR #1706) 👎 Promotion blocked, new vulnerability found Vulnerability report Component Vulnerability Description Severity Apache Ivy CVE-2022-46751https://github.com/advisories/GHSA-2jc4-r94c-rp7h Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide". |HIGH Netty Project|CVE-2023-34462https://github.com/advisories/GHSA-6mjq-h674-j845|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM Netty Project|CVE-2023-44487https://github.com/advisories/GHSA-qppj-fm5r-hxr3|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH
— Reply to this email directly, view it on GitHubhttps://github.com/Project-MONAI/MONAILabel/pull/1706#issuecomment-2185411772, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGSCAXNK363JNBUU5PPTNBTZI5XGTAVCNFSM6AAAAABJHP6TSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBVGQYTCNZXGI. You are receiving this because your review was requested.Message ID: @.***>
YanxuanLiu
commented
1 week ago /build
YanxuanLiu
commented
1 week ago @Nic-Ma I've added the vulnerabilities to exception list. But there is still failure of build(3.11) workflow, which blocks merging PR. Could you help to check the failure?
Nic-Ma
commented
1 week ago ping @KumoLiu
Thanks.
KumoLiu
commented
1 week ago @YanxuanLiu I have rerun the job, it works well now.
Requested by security to prevent DDOS. The new format is provided by blossom team.