Security issues when loading 3rd party libraries

kokelvin commented 4 years ago

bcprov-ext-jdk15on-1.57.jar:

Upgrade to version org.bouncycastle:bcprov-ext-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-jdk15on:1.60

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

bcprov-jdk15on-1.57.jar:

Upgrade to version org.bouncycastle:bcprov-ext-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-jdk15on:1.60

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

commons-beanutils-1.9.3.jar:

Upgrade to version commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

commons-collections-3.2.1.jar + commons-collections4-4.0.jar:

Upgrade to version commons-collections:commons-collections:3.2.2

The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections

Upgrade to version commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

commons-compress-1.17.jar:

Upgrade to version 1.19 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

commons-email-1.3.1.jar:

Upgrade to version 1.5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

commons-fileupload-1.2.1.jar:

Upgrade to version 1.3.3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

derby-10.10.2.0.jar:

Upgrade to version 10.12.1.1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

handlebars-2.0.0.min.js:

Upgrade to version 4.3.0 https://www.npmjs.com/advisories/1164

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

jackson-databind-2.9.1.jar:

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Top Fix: Upgrade to version com.fasterxml.jackson.core:jackson-databind:2.9.7,2.8.11.3,2.7.9.5,2.6.7.3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

jackson-databind-2.9.8.jar:

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Top Fix: Upgrade to version JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-databind:2.9.9 https://access.redhat.com/errata/RHSA-2019:2938

jetty-server-9.4.9.v20180320.jar + jetty-http-9.4.9.v20180320.jar:

Upgrade to version org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605 https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668

jetty-util-9.4.6.v20170531.jar:

Upgrade to version 9.4.7.RC0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

kotlin-stdlib-1.2.60.jar:

Upgrade to version org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack

log4j-1.2.16.jar:

Upgrade to version org.apache.logging.log4j:log4j-core:2.0-alpha1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

ojdbc7-12.1.0.2.jar:

Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2; the Oracle Retail Xstore Point of Service 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, and 16.0; the Oracle Retail Warehouse Management System 14.04, 14.1.3, and 15.0.1; the Oracle Retail Workforce Management 1.60.7, and 1.64.0; the Oracle Retail Clearance Optimization Engine 13.4; the Oracle Retail Markdown Optimization 13.4 and 14.0; and Oracle Retail Merchandising System 16.0 allows remote atackers to affect confidentiality, integrity, and availability via unknown vectors.

postgresql-9.4.1212.jar:

Upgrade to version org.postgresql:postgresql:42.2.13 https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13

retrofit-2.4.0.jar:

Upgrade to version com.squareup.retrofit2:retrofit:2.5.0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000844

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

spring-web-5.2.1.RELEASE.jar:

Upgrade to version org.springframework:spring-web:5.2.9,org.springframework:spring-web:5.1.18,org.springframework:spring-web:5.0.19,org.springframework:spring-web:4.3.29 https://tanzu.vmware.com/security/cve-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

xstream-1.4.7.jar:

Upgrade to version 1.4.7,1.4.11 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.