search

cescoffier / vertx-microservices-workshop

Vert.x Microservices Hand's on lab
http://escoffier.me/vertx-hol/
Apache License 2.0
330 stars 196 forks source link

Dependency io.vertx:vertx-core, leading to CVE problem #48

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In vertx-microservices-workshop/vertx-workshop-common,there is a dependency io.vertx:vertx-core:3.4.1 that calls the risk method.

CVE-2019-17640

The scope of this CVE affected version is [3.4.0, 3.9.4)

After further analysis, in this project, the main Api called is <io.vertx.core.eventbus.impl.EventBusImpl: boolean deliverMessageLocally(io.vertx.core.eventbus.impl.MessageImpl)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<io.vertx.core.eventbus.impl.EventBusImpl: boolean deliverMessageLocally(io.vertx.core.eventbus.impl.MessageImpl)>
at <io.vertx.core.eventbus.impl.EventBusImpl: void deliverMessageLocally(io.vertx.core.eventbus.impl.EventBusImpl$SendContextImpl)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[347]) in /home/wc/.m2/repository/io/vertx/vertx-core/3.4.1/vertx-core-3.4.1.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: void sendOrPub(io.vertx.core.eventbus.impl.EventBusImpl$SendContextImpl)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[320]) in /home/wc/.m2/repository/io/vertx/vertx-core/3.4.1/vertx-core-3.4.1.jar
at <io.vertx.core.eventbus.impl.EventBusImpl$SendContextImpl: void next()> (io.vertx.core.eventbus.impl.EventBusImpl$SendContextImpl.java:[450]) in /home/wc/.m2/repository/io/vertx/vertx-core/3.4.1/vertx-core-3.4.1.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: void sendOrPubInternal(io.vertx.core.eventbus.impl.MessageImpl,io.vertx.core.eventbus.DeliveryOptions,io.vertx.core.Handler)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[418]) in /home/wc/.m2/repository/io/vertx/vertx-core/3.4.1/vertx-core-3.4.1.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: io.vertx.core.eventbus.EventBus publish(java.lang.String,java.lang.Object,io.vertx.core.eventbus.DeliveryOptions)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[131]) in /home/wc/.m2/repository/io/vertx/vertx-core/3.4.1/vertx-core-3.4.1.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: io.vertx.core.eventbus.EventBus publish(java.lang.String,java.lang.Object)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[126]) in /home/wc/.m2/repository/io/vertx/vertx-core/3.4.1/vertx-core-3.4.1.jar
at <io.vertx.servicediscovery.impl.DiscoveryImpl: void publish(io.vertx.servicediscovery.Record,io.vertx.core.Handler)> (io.vertx.servicediscovery.impl.DiscoveryImpl.java:[305]) in /home/wc/.m2/repository/io/vertx/vertx-service-discovery/3.4.1/vertx-service-discovery-3.4.1.jar
at <io.vertx.workshop.common.MicroServiceVerticle: void publish(io.vertx.servicediscovery.Record,io.vertx.core.Handler)> (io.vertx.workshop.common.MicroServiceVerticle.java:[64]) in /home/wc/detect/unzip/vertx-microservices-workshop-master/vertx-workshop-common/target/classes

Dependency tree--

[INFO] io.vertx.workshop:vertx-workshop-common:jar:1.0-SNAPSHOT
[INFO] +- io.vertx:vertx-rx-java:jar:3.4.1:compile
[INFO] |  \- io.reactivex:rxjava:jar:1.2.7:compile
[INFO] +- io.vertx:vertx-core:jar:3.4.1:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.8.Final:compile
[INFO] |  |  \- io.netty:netty-codec:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.8.Final:compile
[INFO] |  |  \- io.netty:netty-codec-socks:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-resolver:jar:4.1.8.Final:compile
[INFO] |  +- io.netty:netty-resolver-dns:jar:4.1.8.Final:compile
[INFO] |  |  \- io.netty:netty-codec-dns:jar:4.1.8.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.7.4:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.7.4:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-annotations:jar:2.7.0:compile
[INFO] +- io.vertx:vertx-service-proxy:jar:processor:3.4.1:compile
[INFO] +- io.vertx:vertx-lang-groovy:jar:3.4.1:compile
[INFO] |  \- org.codehaus.groovy:groovy-all:jar:2.4.7:compile
[INFO] +- io.vertx:vertx-lang-js:jar:3.4.1:compile
[INFO] +- io.vertx:vertx-codegen:jar:3.4.1:compile
[INFO] |  \- org.mvel:mvel2:jar:2.2.8.Final:compile
[INFO] +- io.vertx:vertx-sockjs-service-proxy:jar:3.4.1:compile
[INFO] |  \- io.vertx:vertx-service-proxy:jar:3.4.1:compile
[INFO] +- io.vertx:vertx-web:jar:3.4.1:compile
[INFO] |  \- io.vertx:vertx-auth-common:jar:3.4.1:compile
[INFO] +- io.vertx:vertx-web-client:jar:3.4.1:compile
[INFO] |  \- io.vertx:vertx-web-common:jar:3.4.1:compile
[INFO] +- io.vertx:vertx-hazelcast:jar:3.4.1:compile
[INFO] |  \- com.hazelcast:hazelcast:jar:3.6.3:compile
[INFO] +- io.vertx:vertx-service-discovery:jar:3.4.1:compile
[INFO] +- io.vertx:vertx-circuit-breaker:jar:3.4.1:compile
[INFO] |  \- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@cescoffier Could please help me check this issue? May I pull a request to fix it? Thanks again.

cescoffier commented 3 years ago

We can't update the dependency. We need to bump vert.x first and as I said in another issue, this is going to take some time and effort.