search

ncbo / virtual_appliance

Bioportal Virtual Appliance
5 stars 7 forks source link

potential CVE-2022-22965 vulnerability #31

Closed alexskr closed 2 years ago

alexskr commented 2 years ago

AWS marketplace scanners claim that the appliance is vulnerable to CVE-2022-22965.

Annotator Plus has a spring-beans-3.2.16 dependency vulnerable to CVE-2022-22965. spring beans is a dependency of edu.utah.bmi.nlp:fastcontext https://mvnrepository.com/artifact/org.springframework/spring-core/3.2.16.RELEASE

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ sifr-bioportal-annotation-postannotations ---
[INFO] org.sifrproject:sifr-bioportal-annotation-postannotations:jar:0.1-SNAPSHOT
[INFO] +- edu.utah.bmi.nlp:fastcontext:jar:1.3.1.8:compile
[INFO] |  +- edu.utah.bmi.nlp:nlp-core:jar:1.3.1.8:compile
[INFO] |  |  +- org.apache.uima:uimaj-core:jar:2.10.0:compile
[INFO] |  |  +- org.apache.uima:uimaj-tools:jar:2.10.0:compile
[INFO] |  |  |  \- org.apache.uima:uimaj-cpe:jar:2.10.0:compile
[INFO] |  |  |     +- org.apache.uima:uimaj-adapter-vinci:jar:2.10.0:compile
[INFO] |  |  |     \- org.apache.uima:jVinci:jar:2.10.0:compile
[INFO] |  |  +- org.apache.uima:uimaj-document-annotation:jar:2.10.0:compile
[INFO] |  |  +- org.apache.uima:uimaj-examples:jar:2.10.0:compile
[INFO] |  |  +- org.apache.uima:uimafit-core:jar:2.3.0:compile
[INFO] |  |  |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  |  |  +- commons-logging:commons-logging-api:jar:1.1:compile
[INFO] |  |  |  +- org.springframework:spring-core:jar:3.2.16.RELEASE:compile
[INFO] |  |  |  +- org.springframework:spring-context:jar:3.2.16.RELEASE:compile
[INFO] |  |  |  |  +- org.springframework:spring-aop:jar:3.2.16.RELEASE:compile
[INFO] |  |  |  |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  |  |  |  \- org.springframework:spring-expression:jar:3.2.16.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-beans:jar:3.2.16.RELEASE:compile

The appliance runs annotator plus as a WAR in apache tomcat (tomcat-7.0.76-16.el7_9) so it seems to fit the Spring4Shell prerequisites even though I was unable to verify exploit with PoC exploit like https://github.com/tweedge/springcore-0day-en

A potential solution on our end would involve replacing the packaged version of tomcat 7 for CentOS with tomcat version 9.0.62+ which includes a mitigation

alexskr commented 2 years ago

this has been addressed in virtual appliance release v3.1.1