CVE-2022-42920 for org.glassfish.web-jakarta.servlet.jsp.jstl-3.0.1

eclipse-ee4j / glassfish

Eclipse GlassFish

https://eclipse-ee4j.github.io/glassfish/

386 stars 144 forks source link

CVE-2022-42920 for org.glassfish.web-jakarta.servlet.jsp.jstl-3.0.1 #25123

Closed Rajas-B closed 1 month ago

Rajas-B commented 2 months ago

A blackduck scan showed that there is a critical vulnerability CVE-2022-42920 in the jar mentioned above. This vulnerability is present in org/eclipse/tags/shaded/org/apache/bcel. I am unsure of the version of org.apache.bcel-bcel being used in the library

Environment Details

GlassFish Version (and build number): Not sure
JDK version: 17

Problem Description

A critical vulnerability

Steps to reproduce

A jar that imports jakarta.servlet.jsp.jstl-api and the glassfish implementation of the jakarta library. A blackduck scan indicates that there is a critical vulnerability.

P.S: I am not entirely certain if this is the correct process or place to raise this specific issue. If there is a more appropriate way or another platform to report this, I would appreciate any guidance on how to proceed. Thank you for your assistance.

dmatej commented 2 months ago

Good catch, however this belongs rather to Eclipse Wasp project which shades BCEL into the own jar. https://github.com/eclipse-ee4j/wasp @arjantijms , can you take a look and transfer the issue there?

avpinchuk commented 2 months ago

FYI, Wasp relocates shaded BCEL from Xalan 2.7.3. If I'm not mistaken, Xalan 2.7.3 shades BCEL 6.7.0.

dmatej commented 2 months ago

FYI, Wasp relocates shaded BCEL from Xalan 2.7.3. If I'm not mistaken, Xalan 2.7.3 shades BCEL 6.7.0.

Note that we need to take care of both versions, for GF7 (Wasp 3.2.x) and for GF8 (4.x.x) ... but both refer Xalan 2.7.3 ... which has pom.xml without dependencies, so just the exclusion in wasp's pom doesn't make sense to me ... however all maintained + supported GlassFish versions use the fixed version, therefore I believe we can close this issue.

Maybe we could just find out which GF version was affected by this CVE?

https://repo1.maven.org/maven2/xalan/xalan/2.7.3/xalan-2.7.3.pom https://github.com/apache/xalan-java/blob/master/xalan/pom.xml

dmatej commented 2 months ago

Wasp 3.2.1 using Xalan 2.7.3 using BCEL 6.7.0 is used since GlassFish 7.0.10: https://github.com/eclipse-ee4j/glassfish/pull/24624

hs536 commented 2 months ago

GitHub does not support Confidential Issues so we should move the discussion to a dedicated channel.

Eclipse Vulnerability Reporting

Rajas-B commented 2 months ago

Is this where I should raise this issue? Or should I raise an issue here?

hs536 commented 2 months ago

Please raise this issue on the GitLab (security/vulnerability-reports) as a wasp project issue.

## Basic information
**Project name:** Eclipse WaSP
**Project id:** ee4j.wasp

Rajas-B commented 1 month ago

Thanks, I have raised the issue on that page.