CVE-2023-2976 in version 32.0.0

[malfoj89]

despite rn it is still present following owasp report and other people https://github.com/google/guava/issues/2575

[cpovirk]

Hmm, thanks. Do you know where OWASP gets its data? I went from https://owasp.org/www-project-dependency-check/ to https://search.maven.org/artifact/org.owasp/dependency-check-maven/8.2.1/maven-plugin, which matches https://github.com/launchdarkly/java-server-sdk/issues/308#issuecomment-1573214846 and suggests that the plugin's docs are at https://jeremylong.github.io/DependencyCheck/dependency-check-maven/, which mentions the NISD NVD.

I see no entry for CVE-2023-2976 at the NISD NVD (since the number is AFAIK still only "reserved"). I'm not sure where else OWASP is getting information from, since the NISD NVD data doesn't appear to even know that that number is associated with Guava.

Notably, Sonatype's OSSIndex considers the issue to be resolved in that version:

[cpovirk]

Other 3rd party services and data sources such as the NPM Audit API, the OSS Index, RetireJS, and Bundler Audit are utilized for specific technologies.

I would expect OSS Index to be the only one from that list that's relevant to Java. But maybe there are other sources, too.

[cpovirk]

I'm able to add org.owasp:dependency-check-maven:8.2.1 to a project that depends on guava-32.0.0-android, set failBuildOnAnyVulnerability, watch it download a bunch of stuff, and AFAICT report no problems:

[INFO] Processing Complete for NVD CVE - 2023  (1516 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (140 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (571 ms)
[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 133788 NVD records
[INFO] Removed the CPE ecosystem on 3760 NVD records
[INFO] End database maintenance (9807 ms)
[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[INFO] Begin database defrag
[INFO] End database defrag (3453 ms)
[INFO] Check for updates complete (111806 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: /usr/local/google/home/cpovirk/clients/truth-green/truth/core/target/dependency-check-report.html

I also looked at https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Agoogle%3Aguava%3A*%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED&startIndex=80 and didn't see any entries after 30.1 (which is the second release in which Files.createTempDir was deprecated).

In contrast, if I downgrade to 29.0, I see an error:

guava-29.0-android.jar (pkg:maven/com.google.guava/guava@29.0-android, cpe:2.3:a:google:guava:29.0:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2020-8908

I wonder if it would help for people to run the OWASP plugin's update-only goal (or to delete any caches used by their CI, forcing it to re-download the data)? Maybe OSS Index temporarily considered CVE-2023-2976 to apply to 32.0.0 but some people's plugins haven't picked up their fix yet?

[DominicTulley]

For me, the report says that sonatype thinks it's an issue. https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-check&utm_medium=integration&utm_content=8.1.2

[cpovirk]

Thanks. It would be nice if https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava let me see whether the data has changed over time. Are you in a position to try the update-only goal? Is there a repo I can clone and build to see if the error shows up on my machine?

[pwagland]

FWIW, earlier today https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava@32.0.0-jre most definitely showed a CVE in this release. Now it doesn't. So, if this is where the appropriate tool was getting data, then it should now be fixed, once caches are updated.

For me, in any case, this is no longer firing.

[cpovirk]

Excellent, thank you.

[cpovirk]

It sounds like the issue cleared up when Sonatype fixed their data. If anyone still sees trouble, let us know.

[JoergHeinicke5005]

NVD changed their entry for https://nvd.nist.gov/vuln/detail/CVE-2023-2976 today to match up to excluding 32.0.1, i.e., as if 32.0.0 would still be affected. So CVE-2023-2976 is again being reported against 32.0.0.

[sjamaan]

NVD changed their entry for https://nvd.nist.gov/vuln/detail/CVE-2023-2976 today to match up to excluding 32.0.1, i.e., as if 32.0.0 would still be affected. So CVE-2023-2976 is again being reported against 32.0.0.

I just noticed this too. What the hell are they thinking? This is such a nuisance. Is there a way to contact them to fix this?

[cpovirk]

:( Thanks for the reports.

Does anyone know whether 32.0.0 is still reported as a problem? The NVD page show shows "Up to (excluding) 32.0.0," so perhaps this is fixed?

[pwagland]

This seems to be resolved in our reports now. Thanks for your responsivenesses!!