Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem

Hi, In orders，there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.11 that calls the risk method.

CVE-2019-10072

The scope of this CVE affected version is [8.5.0, 8.5.40),[9.0.0.M1, 9.0.20)

After further analysis, in this project, the main Api called is <org.apache.coyote.http2.Http2UpgradeHandler: void close()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<org.apache.coyote.http2.Http2UpgradeHandler: void close()>
at <org.apache.coyote.http2.Http2UpgradeHandler: void handleAppInitiatedIOException(java.io.IOException)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[693]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.http2.Http2UpgradeHandler: void writeHeaders(org.apache.coyote.http2.Stream,org.apache.coyote.Response,int)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[564]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.http2.Stream: void writeAck()> (org.apache.coyote.http2.Stream.java:[352]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.http2.StreamProcessor: void ack()> (org.apache.coyote.http2.StreamProcessor.java:[114]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.AbstractProcessor: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.AbstractProcessor.java:[273]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.Request: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.Request.java:[391, 393]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.catalina.connector.Request: java.lang.Object getAttribute(java.lang.String)> (org.apache.catalina.connector.Request.java:[900]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <works.weave.socks.orders.middleware.HTTPMonitoringInterceptor: void postHandle(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,java.lang.Object,org.springframework.web.servlet.ModelAndView)> (works.weave.socks.orders.middleware.HTTPMonitoringInterceptor.java:[53]) in /detect/unzip/orders-0.4.7/target/classes

Dependency tree--

[INFO] works.weave.microservices-demo:orders:jar:1.4.4.RELEASE
[INFO] +- org.springframework.boot:spring-boot-starter-data-rest:jar:1.4.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.4.4.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.4.4.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.4.4.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.4.4.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] |  |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] |  +- org.springframework.boot:spring-boot-starter-web:jar:1.4.4.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.4.4.RELEASE:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] |  |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] |  |  +- org.hibernate:hibernate-validator:jar:5.2.4.Final:compile
[INFO] |  |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  |  |  \- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  |  \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.6:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] |  \- org.springframework.data:spring-data-rest-webmvc:jar:2.5.7.RELEASE:compile
[INFO] |     \- org.springframework.data:spring-data-rest-core:jar:2.5.7.RELEASE:compile
[INFO] |        +- org.springframework.hateoas:spring-hateoas:jar:0.20.0.RELEASE:compile
[INFO] |        +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |        \- org.atteo:evo-inflector:jar:1.2.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-mongodb:jar:1.4.4.RELEASE:compile
[INFO] |  +- org.mongodb:mongodb-driver:jar:3.2.2:compile
[INFO] |  |  +- org.mongodb:mongodb-driver-core:jar:3.2.2:compile
[INFO] |  |  \- org.mongodb:bson:jar:3.2.2:compile
[INFO] |  \- org.springframework.data:spring-data-mongodb:jar:1.9.7.RELEASE:compile
[INFO] |     +- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] |     +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] |     +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] |     +- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] |     \- org.springframework.data:spring-data-commons:jar:1.12.7.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-zipkin:jar:1.1.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-sleuth:jar:1.1.0.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-starter:jar:1.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.cloud:spring-cloud-context:jar:1.1.6.RELEASE:compile
[INFO] |  |  |  |  \- org.springframework.security:spring-security-crypto:jar:4.1.4.RELEASE:compile
[INFO] |  |  |  +- org.springframework.cloud:spring-cloud-commons:jar:1.1.6.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] |  |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] |  |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-actuator:jar:1.4.4.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-aop:jar:1.4.4.RELEASE:compile
[INFO] |  |  |  \- org.aspectj:aspectjweaver:jar:1.8.9:compile
[INFO] |  |  \- org.springframework.cloud:spring-cloud-sleuth-core:jar:1.1.0.RELEASE:compile
[INFO] |  |     \- org.aspectj:aspectjrt:jar:1.8.9:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-sleuth-zipkin:jar:1.1.0.RELEASE:compile
[INFO] |     +- io.zipkin.java:zipkin:jar:1.16.2:compile
[INFO] |     +- io.zipkin.reporter:zipkin-reporter:jar:0.6.9:compile
[INFO] |     \- io.zipkin.reporter:zipkin-sender-urlconnection:jar:0.6.9:compile
[INFO] +- io.prometheus:simpleclient_spring_boot:jar:0.0.21:compile
[INFO] |  +- io.prometheus:simpleclient:jar:0.0.21:compile
[INFO] |  +- io.prometheus:simpleclient_common:jar:0.0.21:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-actuator:jar:1.4.4.RELEASE:compile
[INFO] +- io.prometheus:simpleclient_hotspot:jar:0.0.21:compile
[INFO] +- io.prometheus:simpleclient_servlet:jar:0.0.21:compile
[INFO] +- org.springframework.data:spring-data-rest-hal-browser:jar:2.5.7.RELEASE:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] |  \- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile

Suggested solutions:

Update dependency version

Thank you very much.

microservices-demo / orders

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #61