search

harvard-lts / fits

File Information Tool Set
http://fitstool.org
GNU Lesser General Public License v2.1
92 stars 46 forks source link

Security vulnerability issues in version 1.6.0 #393

Open dkinzer opened 6 months ago

dkinzer commented 6 months ago

I have scanned a Hyku docker image built using Fits v1.6.0 for security vulnerabilities. The following issues were reported as coming from this project:

(note: I tried to address the issues and create a PR but my knowledge of the java ecosystem is very limited and I failed to make changes that would not fail the build process).

[{
  "VulnerabilityID": "CVE-2022-40152",
  "PkgPath": "app/fits/lib/droid/woodstox-core-5.0.3.jar",
  "InstalledVersion": "5.0.3",
  "Status": "fixed",
  "FixedVersion": "6.4.0, 5.4.0"
},
{
  "VulnerabilityID": "CVE-2022-23596",
  "PkgPath": "app/fits/lib/droid/junrar-4.0.0.jar",
  "InstalledVersion": "4.0.0",
  "Status": "fixed",
  "FixedVersion": "7.4.1"
},
{
  "VulnerabilityID": "CVE-2023-2976",
  "PkgPath": "app/fits/lib/jhove/guava-24.1.1-android.jar",
  "InstalledVersion": "24.1.1-android",
  "Status": "fixed",
  "FixedVersion": "32.0.0-android"
},
{
  "VulnerabilityID": "CVE-2023-2976",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "24.1.1-android",
  "Status": "fixed",
  "FixedVersion": "32.0.0-android"
},
{
  "VulnerabilityID": "CVE-2020-8908",
  "PkgPath": "app/fits/lib/jhove/guava-24.1.1-android.jar",
  "InstalledVersion": "24.1.1-android",
  "Status": "fixed",
  "FixedVersion": "32.0.0-android"
},
{
  "VulnerabilityID": "CVE-2020-8908",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "24.1.1-android",
  "Status": "fixed",
  "FixedVersion": "32.0.0-android"
},
{
  "VulnerabilityID": "CVE-2021-23792",
  "PkgPath": "app/fits/lib/jhove/imageio-metadata-3.4.1.jar",
  "InstalledVersion": "3.4.1",
  "Status": "fixed",
  "FixedVersion": "3.7.1"
},
{
  "VulnerabilityID": "CVE-2021-23792",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "3.4.1",
  "Status": "fixed",
  "FixedVersion": "3.7.1"
},
{
  "VulnerabilityID": "CVE-2012-5783",
  "PkgPath": "app/fits/lib/droid/commons-httpclient-3.1.jar",
  "InstalledVersion": "3.1",
  "Status": "fixed",
  "FixedVersion": "4.0"
},
{
  "VulnerabilityID": "CVE-2012-5783",
  "PkgPath": "app/fits/lib/nzmetool/commons-httpclient-3.1.jar",
  "InstalledVersion": "3.1",
  "Status": "fixed",
  "FixedVersion": "4.0"
},
{
  "VulnerabilityID": "CVE-2021-29425",
  "PkgPath": "app/fits/lib/droid/commons-io-2.6.jar",
  "InstalledVersion": "2.6",
  "Status": "fixed",
  "FixedVersion": "2.7"
},
{
  "VulnerabilityID": "CVE-2021-35515",
  "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar",
  "InstalledVersion": "1.19",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35516",
  "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar",
  "InstalledVersion": "1.19",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35517",
  "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar",
  "InstalledVersion": "1.19",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-36090",
  "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar",
  "InstalledVersion": "1.19",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2024-25710",
  "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar",
  "InstalledVersion": "1.19",
  "Status": "fixed",
  "FixedVersion": "1.26.0"
},
{
  "VulnerabilityID": "CVE-2021-35515",
  "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35515",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35516",
  "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35516",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35517",
  "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-35517",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-36090",
  "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2021-36090",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.21"
},
{
  "VulnerabilityID": "CVE-2024-25710",
  "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.26.0"
},
{
  "VulnerabilityID": "CVE-2024-25710",
  "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar",
  "InstalledVersion": "1.20",
  "Status": "fixed",
  "FixedVersion": "1.26.0"
},
{
  "VulnerabilityID": "CVE-2024-25710",
  "PkgPath": "app/fits/lib/tika/commons-compress-1.22.jar",
  "InstalledVersion": "1.22",
  "Status": "fixed",
  "FixedVersion": "1.26.0"
},
{
  "VulnerabilityID": "CVE-2024-26308",
  "PkgPath": "app/fits/lib/tika/commons-compress-1.22.jar",
  "InstalledVersion": "1.22",
  "Status": "fixed",
  "FixedVersion": "1.26.0"
},
{
  "VulnerabilityID": "CVE-2023-42503",
  "PkgPath": "app/fits/lib/tika/commons-compress-1.22.jar",
  "InstalledVersion": "1.22",
  "Status": "fixed",
  "FixedVersion": "1.24.0"
},
{
  "VulnerabilityID": "CVE-2022-46364",
  "PkgPath": "app/fits/lib/droid/cxf-core-3.3.6.jar",
  "InstalledVersion": "3.3.6",
  "Status": "fixed",
  "FixedVersion": "3.4.10, 3.5.5"
},
{
  "VulnerabilityID": "CVE-2022-46363",
  "PkgPath": "app/fits/lib/droid/cxf-core-3.3.6.jar",
  "InstalledVersion": "3.3.6",
  "Status": "fixed",
  "FixedVersion": "3.4.10, 3.5.5"
},
{
  "VulnerabilityID": "CVE-2024-28752",
  "PkgPath": "app/fits/lib/droid/cxf-core-3.3.6.jar",
  "InstalledVersion": "3.3.6",
  "Status": "fixed",
  "FixedVersion": "3.5.8, 3.6.3, 4.0.4"
},
{
  "VulnerabilityID": "CVE-2022-46337",
  "PkgPath": "app/fits/lib/droid/derby-10.13.1.1.jar",
  "InstalledVersion": "10.13.1.1",
  "Status": "fixed",
  "FixedVersion": "10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0"
},
{
  "VulnerabilityID": "CVE-2018-1313",
  "PkgPath": "app/fits/lib/droid/derby-10.13.1.1.jar",
  "InstalledVersion": "10.13.1.1",
  "Status": "fixed",
  "FixedVersion": "10.14.2.0"
},
{
  "VulnerabilityID": "CVE-2024-21742",
  "PkgPath": "app/fits/lib/tika/apache-mime4j-core-0.8.4.jar",
  "InstalledVersion": "0.8.4",
  "Status": "fixed",
  "FixedVersion": "0.8.10"
},
{
  "VulnerabilityID": "CVE-2017-12626",
  "PkgPath": "app/fits/lib/nzmetool/poi-3.12.jar",
  "InstalledVersion": "3.12",
  "Status": "fixed",
  "FixedVersion": "3.17"
},
{
  "VulnerabilityID": "CVE-2017-5644",
  "PkgPath": "app/fits/lib/nzmetool/poi-3.12.jar",
  "InstalledVersion": "3.12",
  "Status": "fixed",
  "FixedVersion": "3.15"
},
{
  "VulnerabilityID": "CVE-2019-12415",
  "PkgPath": "app/fits/lib/nzmetool/poi-3.12.jar",
  "InstalledVersion": "3.12",
  "Status": "fixed",
  "FixedVersion": "4.1.1"
},
{
  "VulnerabilityID": "CVE-2023-33201",
  "PkgPath": "app/fits/lib/droid/bcprov-jdk15on-1.68.jar",
  "InstalledVersion": "1.68",
  "Status": "affected",
  "FixedVersion": null
},
{
  "VulnerabilityID": "CVE-2023-33202",
  "PkgPath": "app/fits/lib/droid/bcprov-jdk15on-1.68.jar",
  "InstalledVersion": "1.68",
  "Status": "affected",
  "FixedVersion": null
},
{
  "VulnerabilityID": "CVE-2023-33201",
  "PkgPath": "app/fits/lib/tika/bcprov-jdk15on-1.70.jar",
  "InstalledVersion": "1.70",
  "Status": "affected",
  "FixedVersion": null
},
{
  "VulnerabilityID": "CVE-2023-33202",
  "PkgPath": "app/fits/lib/tika/bcprov-jdk15on-1.70.jar",
  "InstalledVersion": "1.70",
  "Status": "affected",
  "FixedVersion": null
},
{
  "VulnerabilityID": "CVE-2020-15522",
  "PkgPath": "app/fits/lib/nzmetool/bcprov-jdk16-1.46.jar",
  "InstalledVersion": "1.46",
  "Status": "fixed",
  "FixedVersion": "1.66"
},
{
  "VulnerabilityID": "CVE-2020-26939",
  "PkgPath": "app/fits/lib/nzmetool/bcprov-jdk16-1.46.jar",
  "InstalledVersion": "1.46",
  "Status": "fixed",
  "FixedVersion": "1.61"
},
{
  "VulnerabilityID": "CVE-2023-33202",
  "PkgPath": "app/fits/lib/nzmetool/bcprov-jdk16-1.46.jar",
  "InstalledVersion": "1.46",
  "Status": "fixed",
  "FixedVersion": "1.73"
},
{
  "VulnerabilityID": "CVE-2019-10202",
  "PkgPath": "app/fits/lib/jhove/jackson-mapper-asl-1.9.12.jar",
  "InstalledVersion": "1.9.12",
  "Status": "affected",
  "FixedVersion": null
},
{
  "VulnerabilityID": "CVE-2019-10172",
  "PkgPath": "app/fits/lib/jhove/jackson-mapper-asl-1.9.12.jar",
  "InstalledVersion": "1.9.12",
  "Status": "affected",
  "FixedVersion": null
},
{
  "VulnerabilityID": "CVE-2022-45688",
  "PkgPath": "app/fits/lib/embarc/embarc-0.2.jar",
  "InstalledVersion": "20201115",
  "Status": "fixed",
  "FixedVersion": "20230227"
},
{
  "VulnerabilityID": "CVE-2022-45688",
  "PkgPath": "app/fits/lib/embarc/json-20201115.jar",
  "InstalledVersion": "20201115",
  "Status": "fixed",
  "FixedVersion": "20230227"
},
{
  "VulnerabilityID": "CVE-2022-45688",
  "PkgPath": "app/fits/lib/json-20201115.jar",
  "InstalledVersion": "20201115",
  "Status": "fixed",
  "FixedVersion": "20230227"
},
{
  "VulnerabilityID": "CVE-2023-5072",
  "PkgPath": "app/fits/lib/embarc/embarc-0.2.jar",
  "InstalledVersion": "20201115",
  "Status": "fixed",
  "FixedVersion": "20231013"
},
{
  "VulnerabilityID": "CVE-2023-5072",
  "PkgPath": "app/fits/lib/embarc/json-20201115.jar",
  "InstalledVersion": "20201115",
  "Status": "fixed",
  "FixedVersion": "20231013"
},
{
  "VulnerabilityID": "CVE-2023-5072",
  "PkgPath": "app/fits/lib/json-20201115.jar",
  "InstalledVersion": "20201115",
  "Status": "fixed",
  "FixedVersion": "20231013"
},
{
  "VulnerabilityID": "CVE-2022-22965",
  "PkgPath": "app/fits/lib/droid/spring-beans-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "5.2.20.RELEASE, 5.3.18"
},
{
  "VulnerabilityID": "CVE-2022-22970",
  "PkgPath": "app/fits/lib/droid/spring-beans-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "5.2.22.RELEASE, 5.3.20"
},
{
  "VulnerabilityID": "CVE-2022-22968",
  "PkgPath": "app/fits/lib/droid/spring-context-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "5.3.19, 5.2.21"
},
{
  "VulnerabilityID": "CVE-2021-22060",
  "PkgPath": "app/fits/lib/droid/spring-core-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "5.3.14, 5.2.19"
},
{
  "VulnerabilityID": "CVE-2021-22096",
  "PkgPath": "app/fits/lib/droid/spring-core-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "5.3.11, 5.2.18"
},
{
  "VulnerabilityID": "CVE-2023-20863",
  "PkgPath": "app/fits/lib/droid/spring-expression-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "6.0.8, 5.3.27, 5.2.24.RELEASE"
},
{
  "VulnerabilityID": "CVE-2022-22950",
  "PkgPath": "app/fits/lib/droid/spring-expression-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "5.3.17, 5.2.20.RELEASE"
},
{
  "VulnerabilityID": "CVE-2023-20861",
  "PkgPath": "app/fits/lib/droid/spring-expression-5.2.5.RELEASE.jar",
  "InstalledVersion": "5.2.5.RELEASE",
  "Status": "fixed",
  "FixedVersion": "6.0.7, 5.3.26, 5.2.23.RELEASE"
},
{
  "VulnerabilityID": "CVE-2012-0881",
  "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar",
  "InstalledVersion": "2.9.1",
  "Status": "fixed",
  "FixedVersion": "2.12.0"
},
{
  "VulnerabilityID": "CVE-2013-4002",
  "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar",
  "InstalledVersion": "2.9.1",
  "Status": "fixed",
  "FixedVersion": "2.12.0"
},
{
  "VulnerabilityID": "CVE-2009-2625",
  "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar",
  "InstalledVersion": "2.9.1",
  "Status": "fixed",
  "FixedVersion": "2.10.0"
},
{
  "VulnerabilityID": "CVE-2020-14338",
  "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar",
  "InstalledVersion": "2.9.1",
  "Status": "fixed",
  "FixedVersion": "2.12.0.sp3"
},
{
  "VulnerabilityID": "CVE-2022-23437",
  "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar",
  "InstalledVersion": "2.9.1",
  "Status": "fixed",
  "FixedVersion": "2.12.2"
}]
pwinckles commented 6 months ago

@dkinzer thanks for the report. All of the jars listed here are in tools that FITS bundles:

Of those tools, we are only really able to upgrade JHOVE, DROID, and Tika. The snapshot version on the main branch does include more recent versions of JHOVE and Tika, so you could try using that if you wanted. The DROID upgrade is currently blocked waiting feedback from @awoods and co (see https://github.com/harvard-lts/fits/issues/387).

In regards to embarc and nzmetool, if you are worried about those dependencies, I would recommend simply deleting the tools from your fits.xml and then deleting the tool directories. This will remove them from your install.

dkinzer commented 6 months ago

Thanks @pwinckles unfortunately I tried building the snapshot and it is also failing. Then I tried building 1.6.0 and it fails to build too. There are two issues. One is that the version of exiftool that it wants to build with no longer exists and even if you upgrade it to the latest production version (or even an earlier production version that still exists) then the tests fail. This is the same issue that I was running into when I was trying to upgrade the various dependencies that you mention in your post to the latest versions.

pwinckles commented 6 months ago

@dkinzer Thanks, I'll look into the exiftool issue. Was that the only issue that you experienced when trying to build (besides the tests failing)?

dkinzer commented 6 months ago

I guess the other issue is that I tried the skip test argument to just build the project and it seems to work but I can't find where it builds to (assuming I'm looking for an asset named something like fits-1.6.0.zip to appear in a build directory)

pwinckles commented 6 months ago

@dkinzer Okay, I created https://github.com/harvard-lts/fits/pull/394 that will update the exiftool version in main.

After you run mvn -DskipTests clean package, the artifact should be available at target/fits-1.6.1-SNAPSHOT.zip.

Let me know if you need further assistance.

dkinzer commented 6 months ago

Ah. I was misssing the "package" argument! Thanks!