search

hazelcast / hazelcast-code-samples

Hazelcast Code Samples
www.hazelcast.org
548 stars 594 forks source link

Dependency org.apache.mina:mina-core, leading to CVE problem #487

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In hazelcast-code-samples-master/enterprise/ldap-authentication,there is a dependency org.apache.mina:mina-core:2.0.16 that calls the risk method.

CVE-2019-0231

The scope of this CVE affected version is [,2.0.21) || [2.1.0,2.1.1)

After further analysis, in this project, the main Api called is <org.apache.mina.filter.buffer.BufferedWriteFilter: void internalFlush(org.apache.mina.core.filterchain.IoFilter$NextFilter,org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 10

<org.apache.mina.filter.buffer.BufferedWriteFilter: void internalFlush(org.apache.mina.core.filterchain.IoFilter$NextFilter,org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer)>
at <org.apache.mina.filter.buffer.BufferedWriteFilter: void write(org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer,org.apache.mina.core.buffer.IoBuffer)> (org.apache.mina.filter.buffer.BufferedWriteFilter.java:[169, 174]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.filter.buffer.BufferedWriteFilter: void write(org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer)> (org.apache.mina.filter.buffer.BufferedWriteFilter.java:[147]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.filter.buffer.BufferedWriteFilter: void filterWrite(org.apache.mina.core.filterchain.IoFilter$NextFilter,org.apache.mina.core.session.IoSession,org.apache.mina.core.write.WriteRequest)> (org.apache.mina.filter.buffer.BufferedWriteFilter.java:[132]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.filterchain.DefaultIoFilterChain: void callPreviousFilterWrite(org.apache.mina.core.filterchain.IoFilterChain$Entry,org.apache.mina.core.session.IoSession,org.apache.mina.core.write.WriteRequest)> (org.apache.mina.core.filterchain.DefaultIoFilterChain.java:[629]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.filterchain.DefaultIoFilterChain: void fireFilterWrite(org.apache.mina.core.write.WriteRequest)> (org.apache.mina.core.filterchain.DefaultIoFilterChain.java:[622]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.session.AbstractIoSession: org.apache.mina.core.future.WriteFuture write(java.lang.Object,java.net.SocketAddress)> (org.apache.mina.core.session.AbstractIoSession.java:[574]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.session.AbstractIoSession: org.apache.mina.core.future.WriteFuture write(java.lang.Object)> (org.apache.mina.core.session.AbstractIoSession.java:[519]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.directory.server.ldap.LdapServer: void stop()> (org.apache.directory.server.ldap.LdapServer.java:[622]) in /.m2/repository/org/apache/directory/server/apacheds-protocol-ldap/2.0.0-M24/apacheds-protocol-ldap-2.0.0-M24.jar
at <simpleldap.SimpleLdapServer: void stop()> (simpleldap.SimpleLdapServer.java:[129]) in /detect/unzip/hazelcast-code-samples-master/enterprise/ldap-authentication/target/classes

Dependency tree--

[INFO] com.hazelcast.samples.enterprise:ldap-authentication:jar:0.1-SNAPSHOT
[INFO] +- org.apache.directory.api:api-ldap-codec-standalone:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-net-mina:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-codec-core:jar:1.0.0:compile
[INFO] |  |  +- org.apache.directory.api:api-asn1-api:jar:1.0.0:compile
[INFO] |  |  +- org.apache.directory.api:api-i18n:jar:1.0.0:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-codec:jar:1.0.0:compile
[INFO] |  \- org.apache.mina:mina-core:jar:2.0.16:compile
[INFO] +- org.apache.directory.server:apacheds-protocol-ldap:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-core:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-admin:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-authn:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-number:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-authz:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-changelog:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-collective:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-event:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-exception:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-journal:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-normalization:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-operational:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-referral:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-schema:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-subtree:jar:2.0.0-M24:compile
[INFO] |  |  \- org.apache.directory.server:apacheds-interceptors-trigger:jar:2.0.0-M24:compile
[INFO] |  |     \- org.apache.directory.api:api-ldap-extras-trigger:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.server:apacheds-core-api:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-core-constants:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.api:api-ldap-extras-aci:jar:1.0.0:compile
[INFO] |  |  \- net.sf.ehcache:ehcache:jar:2.10.4:compile
[INFO] |  +- org.apache.directory.server:apacheds-i18n:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-protocol-shared:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.jdbm:apacheds-jdbm1:jar:2.0.0-M3:compile
[INFO] |  +- org.apache.directory.server:apacheds-jdbm-partition:jar:2.0.0-M24:compile
[INFO] |  |  \- org.apache.directory.server:apacheds-core-avl:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-kerberos-codec:jar:2.0.0-M24:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- org.apache.directory.api:api-asn1-ber:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-client-api:jar:1.0.0:compile
[INFO] |  |  \- commons-pool:commons-pool:jar:1.6:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-codec-api:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-sp:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-util:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-model:jar:1.0.0:compile
[INFO] |  |  +- org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr:jar:2.7.7_5:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  +- org.apache.directory.api:api-ldap-schema-data:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-util:jar:1.0.0:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.56:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.apache.directory.server:apacheds-core-annotations:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-core-shared:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-ldif-partition:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-xdbm-partition:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.mavibot:mavibot:jar:1.0.0-M8:compile
[INFO] |  +- org.apache.directory.server:apacheds-mavibot-partition:jar:2.0.0-M24:compile
[INFO] |  \- junit:junit:jar:4.12:compile
[INFO] |     \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- org.slf4j:slf4j-simple:jar:1.7.25:compile
[INFO] +- org.jline:jline-reader:jar:3.19.0:compile
[INFO] |  \- org.jline:jline-terminal:jar:3.19.0:compile
[INFO] +- com.hazelcast:hazelcast-enterprise-all:jar:5.0-SNAPSHOT:compile
[INFO] \- com.hazelcast.samples:helper:jar:0.1-SNAPSHOT:compile
[INFO]    \- com.hazelcast:hazelcast-all:jar:5.0-SNAPSHOT:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@leszko Could please help me check this issue? May I pull a request to fix it? Thanks again.