search

timolson / cointrader

Coin Trader is a Java-based backend for algorithmically trading cryptocurrencies. It provides data collection and export, complex event processing and triggering, and backtesting - paper trading - live trading.
Other
454 stars 166 forks source link

Dependency org.apache.zookeeper:zookeeper, leading to CVE problem #164

Closed CVEDetect closed 2 years ago

CVEDetect commented 3 years ago

Hi, In cointrader,there is a dependency org.apache.zookeeper:zookeeper:3.4.10 that calls the risk method.

CVE-2019-0201

The scope of this CVE affected version is [,3.4.14),[3.5.0-alpha, 3.5.5)

After further analysis, in this project, the main Api called is <org.apache.zookeeper.server.FinalRequestProcessor: void processRequest(org.apache.zookeeper.server.Request)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 3

<org.apache.zookeeper.server.FinalRequestProcessor: void processRequest(org.apache.zookeeper.server.Request)>
at <org.apache.zookeeper.server.quorum.CommitProcessor: void run()> (org.apache.zookeeper.server.quorum.CommitProcessor.java:[77]) in /.m2/repository/org/apache/zookeeper/zookeeper/3.4.10/zookeeper-3.4.10.jar
at <org.cryptocoinpartners.util.RateLimiter$RunnablePump: void run()> (org.cryptocoinpartners.util.RateLimiter$RunnablePump.java:[200]) in /detect/unzip/cointrader-master/target/classes

Dependency tree--

[INFO] org.cryptocoinpartners:cointrader:jar:0.3.0-SNAPSHOT
[INFO] +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- com.google.inject.extensions:guice-jmx:jar:4.1.0:compile
[INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.5:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.0.13:compile
[INFO] |  \- ch.qos.logback:logback-core:jar:1.0.13:compile
[INFO] +- commons-configuration:commons-configuration:jar:1.6:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  +- commons-digester:commons-digester:jar:1.8:compile
[INFO] |  \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile
[INFO] +- net.sourceforge.collections:collections-generic:jar:4.01:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- com.tictactec:ta-lib:jar:0.4.0:compile
[INFO] +- com.espertech:esper:jar:4.9.0:compile
[INFO] |  +- log4j:log4j:jar:1.2.16:compile
[INFO] |  +- org.antlr:antlr-runtime:jar:3.2:compile
[INFO] |  |  \- org.antlr:stringtemplate:jar:3.2:compile
[INFO] |  \- cglib:cglib-nodep:jar:2.2:compile
[INFO] +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] +- com.beust:jcommander:jar:1.30:compile
[INFO] +- com.google.inject:guice:jar:4.1.0:compile
[INFO] |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- com.google.inject.extensions:guice-persist:jar:4.1.0:compile
[INFO] +- javax.persistence:javax.persistence-api:jar:2.2:compile
[INFO] +- com.google.inject.extensions:guice-assistedinject:jar:4.1.0:compile
[INFO] +- com.google.guava:guava:jar:30.0-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.5.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- joda-time:joda-time:jar:2.9.9:compile
[INFO] +- org.jadira.usertype:usertype.core:jar:7.0.0.CR1:compile
[INFO] |  \- org.jadira.usertype:usertype.spi:jar:7.0.0.CR1:compile
[INFO] +- org.hibernate:hibernate-core:jar:5.2.18.Final:compile
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile
[INFO] |  +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] |  +- org.javassist:javassist:jar:3.22.0-GA:compile
[INFO] |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.0.1.Final:compile
[INFO] |  +- org.jboss:jandex:jar:2.0.3.Final:compile
[INFO] |  +- com.fasterxml:classmate:jar:1.3.0:compile
[INFO] |  +- org.dom4j:dom4j:jar:2.1.1:compile
[INFO] |  \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile
[INFO] +- org.hibernate:hibernate-entitymanager:jar:5.2.18.Final:compile
[INFO] |  \- net.bytebuddy:byte-buddy:jar:1.6.14:compile
[INFO] +- org.hibernate:hibernate-c3p0:jar:5.2.18.Final:compile
[INFO] +- org.hibernate:hibernate-ehcache:jar:5.2.18.Final:compile
[INFO] |  \- net.sf.ehcache:ehcache:jar:2.10.3:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.23:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:3.11.4:compile
[INFO] +- org.reflections:reflections:jar:0.9.9-RC1:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] |     \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- com.bethecoder:ascii-table:jar:1.0:compile
[INFO] +- net.sf.opencsv:opencsv:jar:2.0:compile
[INFO] +- com.clutch.dates:stringtotime:jar:1.0.6:compile
[INFO] |  \- org.springframework:spring-beans:jar:2.5.5:compile
[INFO] |     \- org.springframework:spring-core:jar:2.5.5:compile
[INFO] +- org.antlr:antlr4-runtime:jar:4.2.2:compile
[INFO] |  +- org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1:compile
[INFO] |  \- org.antlr:antlr4-annotations:jar:4.2.2:compile
[INFO] +- com.github.nkzawa:engine.io-client:jar:0.3.0:compile
[INFO] |  +- org.json:json:jar:20090211:compile
[INFO] |  \- org.java-websocket:Java-WebSocket:jar:1.3.0:compile
[INFO] +- org.jblas:jblas:jar:1.2.4:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- gov.nist.math:jama:jar:1.0.3:compile
[INFO] +- org.la4j:la4j:jar:0.6.0:compile
[INFO] +- jline:jline:jar:2.12:compile
[INFO] +- org.knowm.xchange:xchange-core:jar:4.4.2:compile
[INFO] |  +- com.github.mmazi:rescu:jar:2.0.2:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.1:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.1:compile
[INFO] |  |  +- javax.ws.rs:javax.ws.rs-api:jar:2.1:compile
[INFO] |  |  \- oauth.signpost:signpost-core:jar:1.2.1.2:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.9:compile
[INFO] |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] +- org.knowm.xchange:xchange-binance:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-bitmex:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-bitfinex:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-bitstamp:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-bittrex:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-btctrade:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-gemini:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-hitbtc:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-kraken:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-okcoin:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-poloniex:jar:4.4.2:compile
[INFO] +- org.knowm.xchange:xchange-quoine:jar:4.4.2:compile
[INFO] |  \- com.auth0:java-jwt:jar:3.10.0:compile
[INFO] +- com.mchange:c3p0:jar:0.9.5.4:compile
[INFO] |  \- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] +- nz.ac.waikato.cms.weka:weka-dev:jar:3.7.11:compile
[INFO] |  +- net.sf.squirrel-sql.thirdparty-non-maven:java-cup:jar:0.11a:compile
[INFO] |  \- org.pentaho.pentaho-commons:pentaho-package-manager:jar:1.0.8:compile
[INFO] +- pentaho.weka:pdm-timeseriesforecasting-ce:jar:1.0:compile
[INFO] +- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- black.ninia:jep:jar:3.7.0:compile
[INFO] +- com.therealvan:appender-core:jar:2.3.1:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-s3:jar:1.11.613:compile
[INFO] |  |  +- com.amazonaws:aws-java-sdk-kms:jar:1.11.613:compile
[INFO] |  |  +- com.amazonaws:aws-java-sdk-core:jar:1.11.613:compile
[INFO] |  |  |  +- software.amazon.ion:ion-java:jar:1.0.2:compile
[INFO] |  |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.6.7:compile
[INFO] |  |  \- com.amazonaws:jmespath-java:jar:1.11.613:compile
[INFO] |  +- org.apache.solr:solr-solrj:jar:6.6.6:compile
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.4.1:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.1:compile
[INFO] |  |  +- org.apache.httpcomponents:httpmime:jar:4.4.1:compile
[INFO] |  |  +- org.apache.zookeeper:zookeeper:jar:3.4.10:compile
[INFO] |  |  +- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[INFO] |  |  +- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:compile
[INFO] |  |  +- org.noggit:noggit:jar:0.6:compile
[INFO] |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.7:compile
[INFO] |  \- org.elasticsearch.client:transport:jar:5.4.3:compile
[INFO] |     +- org.elasticsearch:elasticsearch:jar:5.4.3:compile
[INFO] |     |  +- org.apache.lucene:lucene-core:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-analyzers-common:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-backward-codecs:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-grouping:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-highlighter:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-join:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-memory:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-misc:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-queries:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-queryparser:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-sandbox:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-spatial:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-spatial-extras:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-spatial3d:jar:6.5.1:compile
[INFO] |     |  +- org.apache.lucene:lucene-suggest:jar:6.5.1:compile
[INFO] |     |  +- org.elasticsearch:securesm:jar:1.1:compile
[INFO] |     |  +- net.sf.jopt-simple:jopt-simple:jar:5.0.2:compile
[INFO] |     |  +- com.carrotsearch:hppc:jar:0.7.1:compile
[INFO] |     |  +- org.yaml:snakeyaml:jar:1.15:compile
[INFO] |     |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.6:compile
[INFO] |     |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.6:compile
[INFO] |     |  +- com.tdunning:t-digest:jar:3.0:compile
[INFO] |     |  +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] |     |  \- org.elasticsearch:jna:jar:4.4.0:compile
[INFO] |     +- org.elasticsearch.plugin:transport-netty3-client:jar:5.4.3:compile
[INFO] |     |  \- io.netty:netty:jar:3.10.6.Final:compile
[INFO] |     +- org.elasticsearch.plugin:transport-netty4-client:jar:5.4.3:compile
[INFO] |     |  +- io.netty:netty-buffer:jar:4.1.11.Final:compile
[INFO] |     |  +- io.netty:netty-codec:jar:4.1.11.Final:compile
[INFO] |     |  +- io.netty:netty-codec-http:jar:4.1.11.Final:compile
[INFO] |     |  +- io.netty:netty-common:jar:4.1.11.Final:compile
[INFO] |     |  +- io.netty:netty-handler:jar:4.1.11.Final:compile
[INFO] |     |  +- io.netty:netty-resolver:jar:4.1.11.Final:compile
[INFO] |     |  \- io.netty:netty-transport:jar:4.1.11.Final:compile
[INFO] |     +- org.elasticsearch.plugin:reindex-client:jar:5.4.3:compile
[INFO] |     |  \- org.elasticsearch.client:rest:jar:5.4.3:compile
[INFO] |     |     +- org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
[INFO] |     |     \- org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
[INFO] |     +- org.elasticsearch.plugin:lang-mustache-client:jar:5.4.3:compile
[INFO] |     |  \- com.github.spullara.mustache.java:compiler:jar:0.9.3:compile
[INFO] |     \- org.elasticsearch.plugin:percolator-client:jar:5.4.3:compile
[INFO] \- com.therealvan:appender-log4j:jar:2.3.1:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@douggie Could please help me check this issue? May I pull a request to fix it? Thanks again.

timolson commented 3 years ago

Sure, it should be a simple change to the pom.