Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Indirect dependency to vulnerable Xerces, CVE-2017-10355 #743

Closed
lathspell opened this issue Sep 20, 2022 · 1 comment
Closed

Indirect dependency to vulnerable Xerces, CVE-2017-10355 #743

lathspell opened this issue Sep 20, 2022 · 1 comment
Labels
bug falsepositive This issue is a false positive and should not have been made an issue. wontfix

Comments

@lathspell
Copy link

Describe the bug

OWASP Dependency Check reports:

xercesImpl-2.12.2.jar (pkg:maven/xerces/[email protected]) : CVE-2017-10355

This is due to an indirect dependency of your library:

 +--- org.owasp.esapi:esapi:2.5.0.0
 |    +--- org.owasp.antisamy:antisamy:1.7.0
 |    |    +--- net.sourceforge.htmlunit:neko-htmlunit:2.63.0
 |    |    |    \--- xerces:xercesImpl:2.12.2

*Specify what ESAPI version(s) you are experiencing this bug in
latest

To Reproduce

./gradlew depChAn
@lathspell lathspell added the bug label Sep 20, 2022
@kwwall
Copy link
Contributor

kwwall commented Sep 20, 2022
edited
Loading

A few things here. First, this is referenced in the ESAPI 2.5.0.0 release notes:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt#L124-L132

CVE-2017-10355 is associated with library xercesImpl-2.12.2.jar, which is a transitive dependency, pulled in via AntiSamy. But based on the CPE, it seems to be a different Xerces jar (see below).

It is a Denial of Service vulnerability with a CVSSv3 score of 5.9.

Both the ESAPI and AntiSamy teams believe that this CVE is a false positive with respect to these 2 projects.

Dependency Check itself doesn't flag this and neither does Snyk. Dependency Check reports it because it is reported directly by Sonatype's OSS Index.

For further details, see
https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type=maven&component-name=xerces%2FxercesImpl

The Sonatype OSS Index seems to have the wrong CPE. The Sonatype OSS Index has
cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:*
whereas the CPE IDs associated with NIST's NVD are
cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:*
and
cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*,
which seems to be a different (forked?) Xerces release. We have spoken to Sonatype about this, but they have been unresponsive thus far regarding this. Note however, that Sonatype's flagship commercial SCA product, Nexus IQ, does not show this CVE for either ESAPI 2.5.0.0 or for AntiSamy 1.7.0. If it did, perhaps we would have more leverage to get it corrected. It is also not flagged as a vulnerability in https://mvnrepository.com/artifact/xerces/xercesImpl.

Note also that this has been reported as GitHub issue # 4614 in Dependency Check:
jeremylong/DependencyCheck#4614

Lastly, there is nothing that we can do to fix this as 2.12.2 is the latest version of Xerces implementation released.

If you believe it might be helpful to call this out more specifically in Vulnerability-Summary.md (let me know in a follow-up comment), I can do that on the next ESAPI release, but otherwise, I am marking this closed as a False Positive of whatever SCA tool that you are using.

@kwwall kwwall closed this as completed Sep 20, 2022
@kwwall kwwall added wontfix falsepositive This issue is a false positive and should not have been made an issue. labels Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug falsepositive This issue is a false positive and should not have been made an issue. wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lathspell @kwwall