search

udger / udger-local-api-v4

REST API agent string parser for Docker based on Udger https://udger.com/products/local_parser
MIT License
0 stars 1 forks source link

Critical vulnerability in meecrowave-core library #2

Closed Ezcyo closed 8 months ago

Ezcyo commented 8 months ago

Hello Udger team,

We noticed the latest Udger image uses the Meecrowave-core library v1.2.10, which has some critical vulnerabilities, one of them being the log4j RCE (CVE-2021-44228).

Could you please update the library version to a safer one as soon as possible, as this can compromise entire stacks using udger-local-api for UA resolution.

Here is the result of a trivy (https://trivy.dev) scan on the latest image:

udgercom/udger-local-api-v4 (alpine 3.14.10)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2024-03-19T16:08:35.954+0100    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 3)

┌─────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                           │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├─────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.cxf:cxf-core (meecrowave-core-1.2.10-runner.jar) │ CVE-2022-46364 │ CRITICAL │ fixed  │ 3.4.1             │ 3.4.10, 3.5.5         │ Apache CXF: SSRF Vulnerability                               │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-46364                   │
│                                                             ├────────────────┼──────────┤        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2022-46363 │ HIGH     │        │                   │                       │ Apache CXF: directory listing / code exfiltration            │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-46363                   │
│                                                             ├────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2024-28752 │ MEDIUM   │        │                   │ 3.5.8, 3.6.3, 4.0.4   │ SSRF vulnerability using the Aegis DataBinding in Apache CXF │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-28752                   │
├─────────────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.johnzon:johnzon-mapper                           │ CVE-2023-33008 │          │        │ 1.2.8             │ 1.2.21                │ apache-johnzon: Prevent inefficient internal conversion from │
│ (meecrowave-core-1.2.10-runner.jar)                         │                │          │        │                   │                       │ BigDecimal at large scale                                    │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-33008                   │
├─────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core                         │ CVE-2021-44228 │ CRITICAL │        │ 2.14.0            │ 2.15.0, 2.3.1, 2.12.2 │ log4j-core: Remote code execution in Log4j 2.x when logs     │
│ (meecrowave-core-1.2.10-runner.jar)                         │                │          │        │                   │                       │ contain an attacker-controlled...                            │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-44228                   │
│                                                             ├────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2021-45046 │          │        │                   │ 2.16.0, 2.12.2        │ log4j-core: DoS in log4j 2.x with thread context message     │
│                                                             │                │          │        │                   │                       │ pattern and context...                                       │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-45046                   │
│                                                             ├────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2021-45105 │ HIGH     │        │                   │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC)   │
│                                                             │                │          │        │                   │                       │ input data...                                                │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-45105                   │
│                                                             ├────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2021-44832 │ MEDIUM   │        │                   │ 2.3.2, 2.12.4, 2.17.1 │ log4j-core: remote code execution via JDBC Appender          │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-44832                   │
└─────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘
skybber commented 8 months ago

Thanks for report, meecrowave is upgraded to meecrowave to 1.2.15 now

Ezcyo commented 8 months ago

Hello, thank you for the update.

Could you please publish the new image on Docker hub? Many thanks.