search

snowflakedb / snowflake-jdbc

Snowflake JDBC Driver
Apache License 2.0
178 stars 171 forks source link

SNOW-1304351: The `threetenbp` package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception #1702

Closed cheevo closed 7 months ago

cheevo commented 8 months ago

Explanation: The threetenbp package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception. The TZDB.dat file included with this package contains corrupted timezone information. Consequently, when parsed by DateTimeFormatterBuilder, this package may yield uncaught exceptions. A remote attacker who can cause this package to parse certain crafted inputs can exploit this vulnerability to crash affected applications. Detection: The application is vulnerable by using this component. Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Issue sonatype-2024-0639 Source Sonatype Data Research SONATYPE Threat Level 7 CVE CWE 394 CWE URL https://cwe.mitre.org/data/definitions/394.html CVE URL https://sonatype.fiserv.one/ui/links/vln/sonatype-2024-0639 CVE CVSS 3.0 Not Set CVE CVSS 2.0 Not Set SONATYPE CVSS 3.0 7.5

Please answer these questions before submitting your issue. In order to accurately debug the issue this information is required. Thanks!

  1. What version of JDBC driver are you using? 3.15.0

  2. What operating system and processor architecture are you using? Linux

  3. What version of Java are you using?11

  4. What did you do?

    Fortify code scan

  5. What did you expect to see? No high security vulnerabilities

  6. Can you set logging to DEBUG and collect the logs?

N/a

  1. What is your Snowflake account identifier, if any? (Optional)
sfc-gh-sghosh commented 8 months ago

Hello @cheevo ,

Thanks for raising the issue, we are looking into it, will update.

Regards, Sujan

sfc-gh-sghosh commented 7 months ago

Hello @cheevo ,

Update from threetenbp. The reported CVE are invalid, and no action is needed.

threetenbp provided the page about the CVE - https://github.com/ThreeTen/threetenbp/commit/adcdbc462b4e93e68e6f9c9a82217d0478b7d635 and it's visible on their website https://www.threeten.org/threetenbp/security.html - for two reported CVEs they stated that

Users of ThreeTen-Backport do not need to take any action as the CVE is invalid.

So, closing this issue.

Regards, Sujan