search

linlinjava / litemall

又一个小商城。litemall = Spring Boot后端 + Vue管理员前端 + 微信小程序用户前端 + Vue用户移动端
MIT License
19.27k stars 7.21k forks source link

Dependency org.bouncycastle:bcprov-jdk15on, leading to CVE problem #497

Closed CVEDetect closed 2 years ago

CVEDetect commented 3 years ago

Hi, In litemall/litemall-wx-api,there is a dependency org.bouncycastle:bcprov-jdk15on:1.59 that calls the risk method.

CVE-2018-1000613

The scope of this CVE affected version is [1.57,1.60)

After further analysis, in this project, the main Api called is <org.bouncycastle.pqc.crypto.xmss.XMSSMTPrivateKeyParameters: byte[] toByteArray()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 10

<org.bouncycastle.pqc.crypto.xmss.XMSSMTPrivateKeyParameters: byte[] toByteArray()>
at <org.bouncycastle.pqc.jcajce.provider.xmss.BCXMSSMTPrivateKey: boolean equals(java.lang.Object)> (org.bouncycastle.pqc.jcajce.provider.xmss.BCXMSSMTPrivateKey.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar
at <org.bouncycastle.asn1.util.ASN1Dump: void _dumpAsString(java.lang.String,boolean,org.bouncycastle.asn1.ASN1Primitive,java.lang.StringBuffer)> (org.bouncycastle.asn1.util.ASN1Dump.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar
at <org.bouncycastle.asn1.util.ASN1Dump: java.lang.String dumpAsString(java.lang.Object,boolean)> (org.bouncycastle.asn1.util.ASN1Dump.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar
at <org.bouncycastle.asn1.util.ASN1Dump: java.lang.String dumpAsString(java.lang.Object)> (org.bouncycastle.asn1.util.ASN1Dump.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar
at <org.bouncycastle.jce.provider.X509CRLObject: java.lang.String toString()> (org.bouncycastle.jce.provider.X509CRLObject.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar
at <com.github.binarywang.wxpay.util.SignUtils: java.util.Map xmlBean2Map(java.lang.Object)> (com.github.binarywang.wxpay.util.SignUtils.java:[161, 158]) in /.m2/repository/com/github/binarywang/weixin-java-pay/3.3.0/weixin-java-pay-3.3.0.jar
at <com.github.binarywang.wxpay.util.SignUtils: java.lang.String createSign(java.lang.Object,java.lang.String,java.lang.String,java.lang.String[])> (com.github.binarywang.wxpay.util.SignUtils.java:[68]) in /.m2/repository/com/github/binarywang/weixin-java-pay/3.3.0/weixin-java-pay-3.3.0.jar
at <com.github.binarywang.wxpay.service.impl.BaseWxPayServiceImpl: java.lang.Object createOrder(com.github.binarywang.wxpay.bean.request.WxPayUnifiedOrderRequest)> (com.github.binarywang.wxpay.service.impl.BaseWxPayServiceImpl.java:[371]) in /.m2/repository/com/github/binarywang/weixin-java-pay/3.3.0/weixin-java-pay-3.3.0.jar
at <org.linlinjava.litemall.wx.service.WxOrderService: java.lang.Object prepay(java.lang.Integer,java.lang.String,javax.servlet.http.HttpServletRequest)> (org.linlinjava.litemall.wx.service.WxOrderService.java:[601]) in /detect/unzip/litemall-1.8.0/litemall-wx-api/target/classes

Dependency tree--

[INFO] org.linlinjava:litemall-wx-api:jar:0.1.0
[INFO] +- org.springframework.boot:spring-boot-starter-mail:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.5.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.23:runtime
[INFO] |  +- org.springframework:spring-context-support:jar:5.1.7.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context:jar:5.1.7.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-expression:jar:5.1.7.RELEASE:compile
[INFO] |  \- com.sun.mail:javax.mail:jar:1.6.2:compile
[INFO] |     \- javax.activation:activation:jar:1.1:compile
[INFO] +- org.linlinjava:litemall-core:jar:0.1.0:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator:jar:6.1.0.Final:compile
[INFO] |  |  +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |  |  \- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] |  +- com.aliyun:aliyun-java-sdk-core:jar:4.0.3:compile
[INFO] |  |  +- com.google.code.gson:gson:jar:2.8.5:compile
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO] |  |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] |  |  +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  |  |  \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] |  |  +- com.sun.xml.bind:jaxb-core:jar:2.1.14:compile
[INFO] |  |  \- com.sun.xml.bind:jaxb-impl:jar:2.1:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-web:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.1.5.RELEASE:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.19:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.19:compile
[INFO] |  |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.19:compile
[INFO] |  |  +- org.springframework:spring-web:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-webmvc:jar:5.1.7.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.8:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.8:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.8:compile
[INFO] |  +- com.github.qcloudsms:qcloudsms:jar:1.0.5:compile
[INFO] |  |  +- org.json:json:jar:20170516:compile
[INFO] |  |  \- org.apache.httpcomponents:httpmime:jar:4.5.8:compile
[INFO] |  +- com.qcloud:cos_api:jar:5.6.8:compile
[INFO] |  |  +- joda-time:joda-time:jar:2.10.2:compile
[INFO] |  |  \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
[INFO] |  +- com.aliyun.oss:aliyun-sdk-oss:jar:2.5.0:compile
[INFO] |  |  +- org.jdom:jdom:jar:1.1:compile
[INFO] |  |  \- net.sf.json-lib:json-lib:jar:jdk15:2.4:compile
[INFO] |  |     \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile
[INFO] |  \- com.qiniu:qiniu-java-sdk:jar:7.2.29:compile (version selected from constraint [7.2.0,7.2.99])
[INFO] |     \- com.squareup.okhttp3:okhttp:jar:3.14.4:runtime
[INFO] |        \- com.squareup.okio:okio:jar:1.17.2:runtime
[INFO] +- org.linlinjava:litemall-db:jar:0.1.0:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.1.5.RELEASE:compile
[INFO] |  |  |  +- com.zaxxer:HikariCP:jar:3.2.0:compile
[INFO] |  |  |  \- org.springframework:spring-jdbc:jar:5.1.7.RELEASE:compile
[INFO] |  |  |     \- org.springframework:spring-tx:jar:5.1.7.RELEASE:compile
[INFO] |  |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] |  |  +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] |  |  \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] |  +- com.github.pagehelper:pagehelper-spring-boot-starter:jar:1.2.5:compile
[INFO] |  |  +- com.github.pagehelper:pagehelper-spring-boot-autoconfigure:jar:1.2.5:compile
[INFO] |  |  \- com.github.pagehelper:pagehelper:jar:5.1.4:compile
[INFO] |  |     \- com.github.jsqlparser:jsqlparser:jar:1.0:compile
[INFO] |  +- mysql:mysql-connector-java:jar:8.0.16:compile
[INFO] |  |  \- com.google.protobuf:protobuf-java:jar:3.6.1:compile
[INFO] |  \- com.alibaba:druid-spring-boot-starter:jar:1.2.1:compile
[INFO] |     \- com.alibaba:druid:jar:1.2.1:compile
[INFO] +- com.github.binarywang:weixin-java-pay:jar:3.3.0:compile
[INFO] |  +- com.github.binarywang:weixin-java-common:jar:3.3.0:compile
[INFO] |  |  +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] |  |  |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  |  |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] |  |  +- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.5:compile
[INFO] |  |  \- org.dom4j:dom4j:jar:2.0.0:compile
[INFO] |  |     \- jaxen:jaxen:jar:1.1.6:compile
[INFO] |  +- org.jodd:jodd-http:jar:3.7.1:compile
[INFO] |  |  +- org.jodd:jodd-core:jar:3.7.1:compile
[INFO] |  |  \- org.jodd:jodd-upload:jar:3.7.1:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  \- org.bouncycastle:bcpkix-jdk15on:jar:1.59:compile
[INFO] +- com.github.binarywang:weixin-java-miniapp:jar:3.3.0:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] |  +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] |  +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] |  |  \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] |  |     \- net.bytebuddy:byte-buddy:jar:1.9.12:compile
[INFO] |  +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] |  +- com.fasterxml:classmate:jar:1.4.0:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-aop:jar:5.1.7.RELEASE:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] |  \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- com.github.xiaoymin:swagger-bootstrap-ui:jar:1.9.6:compile
[INFO] |  \- org.javassist:javassist:jar:3.25.0-GA:compile
[INFO] +- com.google.guava:guava:jar:25.1-jre:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:2.0.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- com.auth0:java-jwt:jar:3.4.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.8:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.8:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.11:compile
[INFO] +- org.springframework.boot:spring-boot-devtools:jar:2.1.5.RELEASE:compile (optional)
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.1.5.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.1.7.RELEASE:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@linlinjava Could please help me check this issue? May I pull a request to fix it? Thanks again.