search

cescoffier / vertx-kubernetes-workshop

A workshop showing how to develop reactive microservices with Vert.x and deploy them with Kubernetes
Apache License 2.0
44 stars 28 forks source link

Dependency org.infinispan:infinispan-commons, leading to CVE problem #21

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In vertx-kubernetes-workshop/portfolio-service,there is a dependency org.infinispan:infinispan-commons:9.1.1.Final that calls the risk method.

CVE-2019-10174

The scope of this CVE affected version is [,9.4.17.Final),[10.0.0.Alpha1,10.0.0.Final)

After further analysis, in this project, the main Api called is <org.infinispan.commons.util.ReflectionUtil: java.lang.Object invokeAccessibly(java.lang.Object,java.lang.reflect.Method,java.lang.Object[])>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

<org.infinispan.commons.util.ReflectionUtil: java.lang.Object invokeAccessibly(java.lang.Object,java.lang.reflect.Method,java.lang.Object[])>
at <org.infinispan.factories.AbstractComponentRegistry: void invokeInjectionMethod(java.lang.Object,org.infinispan.factories.components.ComponentMetadata$InjectMetadata)> (org.infinispan.factories.AbstractComponentRegistry.java:[252]) in /.m2/repository/org/infinispan/infinispan-core/9.1.1.Final/infinispan-core-9.1.1.Final.jar
at <org.infinispan.factories.AbstractComponentRegistry: void wireDependencies(java.lang.Object)> (org.infinispan.factories.AbstractComponentRegistry.java:[148]) in /.m2/repository/org/infinispan/infinispan-core/9.1.1.Final/infinispan-core-9.1.1.Final.jar
at <org.infinispan.stream.impl.intops.object.PeekOperation: void handleInjection(org.infinispan.factories.ComponentRegistry)> (org.infinispan.stream.impl.intops.object.PeekOperation.java:[30]) in /.m2/repository/org/infinispan/infinispan-core/9.1.1.Final/infinispan-core-9.1.1.Final.jar
at <org.infinispan.stream.impl.local.AbstractLocalCacheStream: java.util.stream.BaseStream createStream()> (org.infinispan.stream.impl.local.AbstractLocalCacheStream.java:[74]) in /.m2/repository/org/infinispan/infinispan-core/9.1.1.Final/infinispan-core-9.1.1.Final.jar
at <org.infinispan.stream.impl.local.LocalCacheStream: void forEach(java.util.function.Consumer)> (org.infinispan.stream.impl.local.LocalCacheStream.java:[266]) in /.m2/repository/org/infinispan/infinispan-core/9.1.1.Final/infinispan-core-9.1.1.Final.jar
at <org.infinispan.container.offheap.OffHeapDataContainer$ValueCollection: void forEach(java.util.function.Consumer)> (org.infinispan.container.offheap.OffHeapDataContainer$ValueCollection.java:[404]) in /.m2/repository/org/infinispan/infinispan-core/9.1.1.Final/infinispan-core-9.1.1.Final.jar
at <io.vertx.workshop.portfolio.PortfolioConverter: void fromJson(java.lang.Iterable,io.vertx.workshop.portfolio.Portfolio)> (io.vertx.workshop.portfolio.PortfolioConverter.java:[25]) in /detect/unzip/vertx-kubernetes-workshop-master/portfolio-service/target/classes

Dependency tree--

[INFO] io.vertx.workshop:portfolio-service:jar:1.0-SNAPSHOT
[INFO] +- io.vertx:vertx-config:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-infinispan:jar:3.6.3:compile
[INFO] |  +- org.infinispan:infinispan-multimap:jar:9.4.0.Final:compile
[INFO] |  +- com.github.ben-manes.caffeine:caffeine:jar:2.6.2:compile
[INFO] |  +- org.infinispan:infinispan-clustered-lock:jar:9.4.0.Final:compile
[INFO] |  +- org.infinispan:infinispan-clustered-counter:jar:9.4.0.Final:compile
[INFO] |  \- io.reactivex.rxjava2:rxjava:jar:2.2.4:compile
[INFO] +- org.infinispan:infinispan-cloud:jar:9.1.1.Final:compile
[INFO] |  \- org.infinispan:infinispan-core:jar:9.1.1.Final:compile
[INFO] |     +- org.infinispan:infinispan-commons:jar:9.1.1.Final:compile
[INFO] |     +- org.jgroups:jgroups:jar:4.0.6.Final:compile
[INFO] |     +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:jar:1.0.1.Final:compile
[INFO] |     +- org.jboss.marshalling:jboss-marshalling-osgi:jar:2.0.0.Beta3:compile
[INFO] |     \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] +- org.jgroups.kubernetes:jgroups-kubernetes:jar:1.0.3.Final:compile
[INFO] |  \- net.oauth.core:oauth:jar:20100527:compile
[INFO] +- io.vertx:vertx-service-proxy:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-service-proxy:jar:processor:3.6.3:compile
[INFO] +- io.vertx:vertx-sockjs-service-proxy:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-core:jar:3.6.3:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.30.Final:compile
[INFO] |  |  \- io.netty:netty-codec:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.30.Final:compile
[INFO] |  |  \- io.netty:netty-codec-socks:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-resolver:jar:4.1.30.Final:compile
[INFO] |  +- io.netty:netty-resolver-dns:jar:4.1.30.Final:compile
[INFO] |  |  \- io.netty:netty-codec-dns:jar:4.1.30.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.9.8:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.8:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.8:compile
[INFO] +- io.vertx:vertx-lang-kotlin:jar:3.6.3:compile
[INFO] |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.3.20:compile
[INFO] |     +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.3.20:compile
[INFO] |     |  +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.20:compile
[INFO] |     |  \- org.jetbrains:annotations:jar:13.0:compile
[INFO] |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.3.20:compile
[INFO] +- io.vertx:vertx-rx-java2:jar:3.6.3:compile
[INFO] |  +- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] |  \- io.vertx:vertx-rx-gen:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-rx-java2-gen:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-codegen:jar:3.6.3:compile
[INFO] |  \- org.mvel:mvel2:jar:2.3.1.Final:compile
[INFO] +- io.vertx:vertx-web:jar:3.6.3:compile
[INFO] |  +- io.vertx:vertx-web-common:jar:3.6.3:compile
[INFO] |  +- io.vertx:vertx-auth-common:jar:3.6.3:compile
[INFO] |  \- io.vertx:vertx-bridge-common:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-web-client:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-service-discovery:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-circuit-breaker:jar:3.6.3:compile
[INFO] |  \- org.hdrhistogram:HdrHistogram:jar:2.1.10:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@cescoffier Could please help me check this issue? May I pull a request to fix it? Thanks again.

cescoffier commented 3 years ago

The infinispan version you want contain breaking changes. I guess the only solution would be to switch to Vert.x 4, but that would require some efforts.