-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: xercesImpl-2.12.2.jar matched for CVE-2017-10355 #4614
Comments
Maven Coordinates <dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.2</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #4614
]]></notes>
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cpe>cpe:/a:apache:xerces-j</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2527559089 |
It's plain and clear from the report: Which is to say: the intelligence that this CVE (still) applies to version 2.12.2 comes from the security analysts of Sonatype OSSINDEX, not from the NVD datastreams. So it may differ from the listing at the NVD. Up to now OSSINDEX has provided sensible reasoning that CVEs still apply to versions of the library not listed in the NVD as the fix was either documentation to not use certain coding patterns, or a mere deprecation instead of removal of the vulnerable code. Both of which require human judgement of the code usage of a project to determine whether or not for your specific use of the library the vulnerability is mitigated or not, as the vulnerability is still lurking in the codebase. I expect this one to be similar in nature. |
Has anyone contacted the OSS Index team regarding this? This differs greatly from the CVE: |
@jeremylong - as noted in an email, I also checked Sonatype's flagship SCA project Nexus IQ, for this CVE and Nexus IQ is pointing to the NVD CVE and not their own OSS Index CVE. That seems a bit curious. Tomorrow I will see if I can get it to scan AntiSamy and see if it flags xercesImpl or not. I have not seen Snyk flagging this though. |
Update: While Nexus IQ refers to the NVD CVE for it's description, they do report the vulnerability consistent in a manner with OSS Index and but the Nexus IQ description of the reported vulnerability has a different (and someone more useful) description that what is used for the OSS Index description. Specifically, the Nexus IQ vulnerability description mentions the root cause of the problem being that the |
Hi @kwwall is there a further update about the FP? Do we know the reason that xerceslmpl-2.12.2.jar is matched with the CVE-2017-10355? Thank you. |
Have heard nothing further. I think we need to report it to Sonatype for at
least their OSS Index project. Sonatype Lift also reports this for AntiSamy
1.7.0, but I think that's because Lift uses OSS index as on of its
vulnerability sources.
…On Thu, Jul 28, 2022, 10:12 PM Albert Wang ***@***.***> wrote:
Hi @kwwall <https://github.com/kwwall> is there a further update about
the FP? Do we know the reason that xerceslmpl-2.12.2.jar is matched with
the CVE-2017-10355 <https://github.com/advisories/GHSA-c7m6-53c4-386j>?
Thank you.
—
Reply to this email directly, view it on GitHub
<#4614 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PGYVZUDEYMG2P56QSGTVWM4Z5ANCNFSM5ZIA37EA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hi @kwwall thank you for your kind reply. I am not familiar with where to report it. Do you think if we should create an issue on https://github.com/sonatype/ossindex-public? Albert |
Probably not. I think that site is just implements a web API and client
that accesses the information in https://ossindex.sonatype.org/. I think
it is flawed data in ossindex.sonatype.com that needs reported. I've not
signed up for that site to see where/ how to report bugs because I have a
dozen more pressing matters at the moment. If you find out how / where to
report bugs, I will gladly do so though.
…On Thu, Jul 28, 2022, 11:48 PM albertylw ***@***.***> wrote:
Hi @kwwall <https://github.com/kwwall> thank you for your kind reply. I
am not familiar with where to report it. Do you think if we should create
an issue on https://github.com/sonatype/ossindex-public?
Albert
—
Reply to this email directly, view it on GitHub
<#4614 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PG2YSZLTBZ53H3RMKZDVWNIA7ANCNFSM5ZIA37EA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
The proper issue-tracking to report issues on OSSIndex entries is https://github.com/OSSIndex/vulns |
Thank you, @aikebah |
I will try. Thank you. |
@kwwall @aikebah I reported the issue to OSSIndex. My current understanding is that OSSIndex published a vulnerability [sonatype-2017-0348] CWE-833: Deadlock of xerces:xercesImpl. Somehow, when OWASP Dependency-Check reports the vulnerability, it uses another title CVE-2017-10355 (OSSINDEX). However, CVE-2017-10355 looks like a totally different vulnerability. Therefore, xerces:xercesImpl may have the vulnerability, but it is not CVE-2017-10355. I didn't find any information about the vulnerability on xerces.apache.org/xerces2-j or xerces.apache.org/xerces2-j/releases.html. I will email Apache Software Foundation [email protected] for help. Thank you. Albert |
@albertwangnz The CVE 2017 10355 is a vulnerability that OSSINDEX themselves returns on the API call as applicable for the xercesImpl library. The sonatype 2017 0348 is hidden to dependency-check based on filtering that is still in place as initially there were Exceptions resulting from the data of the internal sonatype vulnerabilities (see #4527 (comment)) So these two are indeed completely separate issues, but according to OSSINDEX data xercesImpl is subject to CVE 2017 10355. |
Hi @aikebah , so sounds like OSSINDEX should not return CVE 2017 10355 as applicable for the xercelmpl library. Hope OSSINDEX could view the BUG I raised. Thank you. |
After closely re-reading the report I spotted that both the internal Sonatype issue name and the CVE referenced in this ticket stem from the same reported issue... so I checked the OSSIndex cache of dependency-check (after an initial cleanup), harvested the sonatype OSSINDEX API response for XercesImpl from it and added the info to the OSSINDEX ticket. The vulnerability of XercesImpl is sonatype-2017-0348, the CVE number is a false flag |
Update: SNYK also relates the issue to the same CVE... https://security.snyk.io/vuln/SNYK-JAVA-XERCES-31497 looks like in some way opening an FTP connection by XercesImpl is involved They appear to differ opinion on which versions of XercesImpl are affected and which CWE is violated (the Snyk entry indicates that 2.11.0 is patched for it and links the issue to CWE-400) |
What I can digest from the SNYK references I would say that the issue indeed was never resolved within Xerces itself (still fully relying on Java defaults to provide sensible timeouts), but it's only resolved because the JDK has built in a default timeout for FTP connections in response to the CVE, so that over time the connections will time out and release the hanging thread with a timeout exception. |
Hi @aikebah, you are awesome! I think the situation is more clear now. |
Hi @aikebah , do you think SNYK-JAVA-XERCES-31497 and sonatype-2017-0348 are the same issue of XercesImpl, or they are different issues? |
They both link to |
I do have dependabot enabled. But it is not flagging this. When I run:
mvn org.owasp:dependency-check-maven:check
It flags xercesImpl.
…-Dave
On Mon, Jul 18, 2022 at 10:30 PM Kevin W. Wall ***@***.***> wrote:
@jeremylong <https://github.com/jeremylong> - as noted in an email, I
also checked Sonatype's flagship SCA project Nexus IQ, for this CVE and
Nexus IQ is pointing to the NVD CVE and not their own OSS Index CVE. That
seems a bit curious. Tomorrow I will see if I can get it to scan AntiSamy
and see if it flags xercesImpl or not. I have not seen Snyk flagging this
though.
@davewichers <https://github.com/davewichers> - Do you have GitHub's
Dependabot enabled? If so, does that flag this?
—
Reply to this email directly, view it on GitHub
<#4614 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGFWBKPFL3OE2QHZ2NJDXDVUYHM7ANCNFSM5ZIA37EA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
hmmm... ...
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.2</version>
</dependency>
... mvn clean verify -U org.owasp:dependency-check-maven:11.1.0:check reports: |
It's never been away (unless somehow for you the OSSINDEX access was blocked, or OSSINDEX temporarily unlisted it and now relisted the same) |
According to the data at OSSINDEX the issue is supposedly only patched in Red Hat patch versions of the xerces library. |
See OSSIndex/vulns#328 (comment) for background on why OSSINDEX lists this as a vulnerability for Xerces-J and when you can treat it as a mitigated issue. |
amazing response. cheers! |
Strangely, without changing anything other than ODC Gradle patch version, as of today this started getting reported in our setup when it wasn't getting reported through daily scans for a very long time. I fear there is some kind of indeterministic false negative scenario going on here which is why people perhaps see it appearing and/or disappearing. (unless OSSINDEX relisted it as you describe above) (Edit: Perhaps could be due to dependency-check/dependency-check-gradle#421 which recently got fixed, as the dependencies in my case are actually jars inside ruby gems found on the file path. Perhaps without this analyzer they cannot always be reliably matched to OSSIndex data. Not sure.) |
Package URl
pkg:maven/xerces/[email protected]
CPE
cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:*
CVE
CVE-2017-10355
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.1
Description
I can't see why the pkg matches with the CVE. The CVE's entry on nvd.nist.gov doesn't even mention the reported cpe.
Package and CVE look unrelated to me.
The text was updated successfully, but these errors were encountered: