search

Red5 / red5-plugins

Red5 Server Plug-ins
50 stars 77 forks source link

Dependency org.apache.mina:mina-core, leading to CVE problem #37

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In red5-plugins/mqtt,there is a dependency org.apache.mina:mina-core:2.0.16 that calls the risk method.

CVE-2019-0231

The scope of this CVE affected version is [,2.0.21),[2.1.0,2.1.1)

After further analysis, in this project, the main Api called is <org.apache.mina.core.service.AbstractIoService: void dispose(boolean)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

<org.apache.mina.core.service.AbstractIoService: void dispose(boolean)>
at <org.apache.mina.core.service.AbstractIoService: void dispose()> (org.apache.mina.core.service.AbstractIoService.java:[277]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.service.SimpleIoProcessorPool: void dispose()> (org.apache.mina.core.service.SimpleIoProcessorPool.java:[329]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.service.SimpleIoProcessorPool: void <init>(java.lang.Class,java.util.concurrent.Executor,int,java.nio.channels.spi.SelectorProvider)> (org.apache.mina.core.service.SimpleIoProcessorPool.java:[252]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.service.SimpleIoProcessorPool: void <init>(java.lang.Class,int)> (org.apache.mina.core.service.SimpleIoProcessorPool.java:[126]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.polling.AbstractPollingIoAcceptor: void <init>(org.apache.mina.core.session.IoSessionConfig,java.lang.Class,int)> (org.apache.mina.core.polling.AbstractPollingIoAcceptor.java:[134]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.transport.socket.nio.NioSocketAcceptor: void <init>(int)> (org.apache.mina.transport.socket.nio.NioSocketAcceptor.java:[73]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.red5.server.mqtt.net.MQTTTransport: void afterPropertiesSet()> (org.red5.server.mqtt.net.MQTTTransport.java:[74]) in /detect/unzip/red5-plugins-2.2.8/mqtt/target/classes

Dependency tree--

[INFO] org.red5:mqttplugin:jar:1.0
[INFO] +- org.red5:red5-server:jar:1.0.8-RELEASE:compile
[INFO] |  +- org.apache.tomcat:tomcat-servlet-api:jar:8.5.9:compile
[INFO] |  +- ch.qos.logback:logback-access:jar:1.1.7:compile
[INFO] |  +- org.springframework:spring-webmvc:jar:4.3.5.RELEASE:compile
[INFO] |  +- org.red5:red5-server-common:jar:1.0.8-RELEASE:compile
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.4:compile
[INFO] |  |  +- org.apache.commons:commons-lang3:jar:3.5:compile
[INFO] |  |  +- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  |  +- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  |  \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] |  +- org.red5:red5-io:jar:1.0.8-RELEASE:compile
[INFO] |  |  +- org.apache.tika:tika-core:jar:1.14:compile
[INFO] |  |  +- org.apache.tika:tika-parsers:jar:1.14:compile
[INFO] |  |  |  +- org.tallison:jmatio:jar:1.2:compile
[INFO] |  |  |  +- org.apache.james:apache-mime4j-core:jar:0.7.2:compile
[INFO] |  |  |  +- org.apache.james:apache-mime4j-dom:jar:0.7.2:compile
[INFO] |  |  |  +- org.apache.commons:commons-compress:jar:1.12:compile
[INFO] |  |  |  +- org.apache.pdfbox:pdfbox-tools:jar:2.0.3:compile
[INFO] |  |  |  |  \- org.apache.pdfbox:pdfbox-debugger:jar:2.0.3:compile
[INFO] |  |  |  +- org.apache.pdfbox:jempbox:jar:1.8.12:compile
[INFO] |  |  |  +- org.ccil.cowan.tagsoup:tagsoup:jar:1.2.1:compile
[INFO] |  |  |  +- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  |  |  +- com.drewnoakes:metadata-extractor:jar:2.9.1:compile
[INFO] |  |  |  |  \- com.adobe.xmp:xmpcore:jar:5.1.2:compile
[INFO] |  |  |  +- de.l3s.boilerpipe:boilerpipe:jar:1.1.0:compile
[INFO] |  |  |  +- com.rometools:rome:jar:1.5.1:compile
[INFO] |  |  |  |  \- com.rometools:rome-utils:jar:1.5.1:compile
[INFO] |  |  |  +- com.googlecode.juniversalchardet:juniversalchardet:jar:1.0.3:compile
[INFO] |  |  |  +- commons-io:commons-io:jar:2.5:compile
[INFO] |  |  |  +- com.google.code.gson:gson:jar:2.2.4:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.1:compile
[INFO] |  |  +- net.sf.ehcache:ehcache-core:jar:2.6.11:compile
[INFO] |  |  \- com.googlecode.mp4parser:isoparser:jar:1.1.17:compile
[INFO] |  +- org.red5:red5-service:jar:1.0.8-RELEASE:compile
[INFO] |  |  \- commons-daemon:commons-daemon:jar:1.0.15:compile
[INFO] |  +- org.red5:red5-service:tar.gz:daemon:1.0.8-RELEASE:compile
[INFO] |  \- org.quartz-scheduler:quartz:jar:2.2.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] +- ch.qos.logback:logback-core:jar:1.1.7:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.7:compile
[INFO] +- org.apache.mina:mina-core:bundle:2.0.16:compile
[INFO] +- org.apache.mina:mina-integration-jmx:bundle:2.0.16:compile
[INFO] |  \- ognl:ognl:jar:3.1.11:compile
[INFO] |     \- org.javassist:javassist:jar:3.16.1-GA:compile
[INFO] +- org.apache.mina:mina-integration-beans:bundle:2.0.16:compile
[INFO] +- org.springframework:spring-beans:jar:4.3.5.RELEASE:compile
[INFO] +- org.springframework:spring-context-support:jar:4.3.5.RELEASE:compile
[INFO] +- org.springframework:spring-context:jar:4.3.5.RELEASE:compile
[INFO] +- org.springframework:spring-core:jar:4.3.5.RELEASE:compile
[INFO] +- org.springframework:spring-expression:jar:4.3.5.RELEASE:compile
[INFO] +- org.springframework:spring-aop:jar:4.3.5.RELEASE:compile
[INFO] +- org.springframework:spring-web:jar:4.3.5.RELEASE:compile
[INFO] +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] +- org.mapdb:mapdb:jar:1.0.6:compile
[INFO] +- com.lmax:disruptor:jar:3.3.2:compile
[INFO] \- org.hdrhistogram:HdrHistogram:jar:2.1.4:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@mondain Could please help me check this issue? May I pull a request to fix it? Thanks again.

mondain commented 2 years ago

Yes, go ahead