search

h2oai / h2o-3

H2O is an Open Source, Distributed, Fast & Scalable Machine Learning Platform: Deep Learning, Gradient Boosting (GBM) & XGBoost, Random Forest, Generalized Linear Modeling (GLM with Elastic Net), K-Means, PCA, Generalized Additive Models (GAM), RuleFit, Support Vector Machine (SVM), Stacked Ensembles, Automatic Machine Learning (AutoML), etc.
http://h2o.ai
Apache License 2.0
6.94k stars 2k forks source link

new vulnerability: sonatype-2024-3350 #16391

Closed wendycwong closed 2 months ago

wendycwong commented 2 months ago

When scanning - h2o 3.46.0.5, Nexus IQ – Sonatype has found a new vulnerability: sonatype-2024-3350

Explanation

The Apache commons-collections packages are vulnerable to a Denial of Service (DoS) attack. The add() method of the SetUniqueList class mishandles the order of operations when invoking its parent List implementation. Consequently, adding an instance of itself results in infinite recursion and deviates from the behavior defined by the standard JRE List contract. A remote attacker who can cause an application to add SetUniqueList instances to themselves can exploit this vulnerability to crash the affected application with a StackOverflowError exception.

Detection

The application is vulnerable by using this component.

Recommendation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Version Affected

[3.46.0.4,3.46.0.5]

wendycwong commented 2 months ago

When I look at our jar, I found the following:

(base) wendycwong@m16pro-100675 build % jar ft h2o.jar | grep commons-collection META-INF/maven/commons-collections/ META-INF/maven/commons-collections/commons-collections/ META-INF/maven/commons-collections/commons-collections/pom.xml META-INF/maven/commons-collections/commons-collections/pom.properties META-INF/maven/org.apache.commons/commons-collections4/ META-INF/maven/org.apache.commons/commons-collections4/pom.xml META-INF/maven/org.apache.commons/commons-collections4/pom.properties

wendycwong commented 2 months ago

However, when I try to find reference to SetUniqueList, I cannot find any in our code base.

The current version of Apache commons-collections is 4.4 which is released on Jun 2024. We can upgrade to this one by restricting Apache commons-collections to be 4.4

valenad1 commented 2 months ago

image

wendycwong commented 2 months ago

According to @valenad1 , upgrade to 4.4 won't be easy because version 3 is not compatible as stated here: https://commons.apache.org/proper/commons-collections/release_4_0.html.

As you can see in Adam's comment picture, we have both latest version 4.4 and 3.2.2.

Note that we need Hadoop for Parquet and S3A export.

So, as long as they don't use Parquet or S3A export, there is nothing for them to fear about this security.

valenad1 commented 2 months ago

Its seem like the customer just need to connect to remote h2o. So h2o_client should be enough and pass security and legality check more easily.

hemenkapadia commented 2 months ago

@wendycwong @valenad1 - I have informed the customer about the incompatibility of CC 4.4.

They mentioned H2O-3 version 3.46.0.4 is was not flagged for this vulnerability. They will pivot to that version. I have also not received any further actionable input on this vulnerability and it is not mentioned anywhere on the internet.

Also, I remember last you mentioned SetUniqueList is not used in h2o-3 code, is it used in case of parquet or S3A export ? How do you plan to handle this in the future version of H2O-3 if this becomes a public CVE ?

wendycwong commented 2 months ago

Hemen:

Per Adam’s suggestion, if they only use H2O-3 client (which can be downloaded from PyPi), it does not contains H2O-3 jar and therefore, they should not find any vulnerabilities there.

In the future, if this vulnerability becomes a CVE-, there usually are more information on the CVE website which directs us on how to resolve this. They usually provide very good instructions on how to fix things. Currently, Adam was not able to find any useful information from what they send us.

Wendy

On Sep 23, 2024, at 6:11 PM, Hemen Kapadia @.***> wrote:

@wendycwong https://github.com/wendycwong @valenad1 https://github.com/valenad1 - I have informed the customer about the incompatibility of CC 4.4.

They mentioned H2O-3 version 3.46.0.4 is was not flagged for this vulnerability. They will pivot to that version. I have also not received any further actionable input on this vulnerability and it is not mentioned anywhere on the internet.

Also, I remember last you mentioned SetUniqueList is not used in h2o-3 code, is it used in case of parquet or S3A export ? How do you plan to handle this in the future version of H2O-3 if this becomes a public CVE ?

— Reply to this email directly, view it on GitHub https://github.com/h2oai/h2o-3/issues/16391#issuecomment-2369906173, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABXFRYHM63TJWKMKILEKX5DZYC33XAVCNFSM6AAAAABOJZVOUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZHEYDMMJXGM. You are receiving this because you were mentioned.

hemenkapadia commented 2 months ago

We can close this at this point.