Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleaning submodules and rename engineering package #72

Closed
wants to merge 2 commits into from
Closed

Cleaning submodules and rename engineering package #72

wants to merge 2 commits into from

Conversation

tloubrieu-jpl
Copy link
Member

🗒️ Summary

fixes #10

and clean the pom for better integration in multimodule project

sonatype-lift[bot]
sonatype-lift bot reviewed Jan 7, 2022
View reviewed changes
service/pom.xml
@@ -267,13 +267,13 @@ POSSIBILITY OF SUCH DAMAGE.

<dependency>
<groupId>gov.nasa.pds</groupId>
<artifactId>api</artifactId>
<artifactId>registry-api-model</artifactId>
<version>0.5.0-SNAPSHOT</version>
</dependency>

<dependency>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:maven/gov.nasa.pds/[email protected]

4 Critical, 0 Severe, 2 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies

Components
    pkg:maven/log4j/[email protected]
      CRITICAL Vulnerabilities (2)
        CVE-2019-17571

        [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat...

        Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CVE-2021-4104

        [CVE-2021-4104] JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when...

        JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

        ===================================================
        The following information is provided by Sonatype Nexus Intelligence. Nexus Intelligence is the only security research service that performs "secondary expansion" to determine if newly discovered vulnerabilities are also present in other components.

        Learn more about Nexus Intelligence -- https://www.sonatype.com/products/intelligence

        Explanation

        The log4j:log4j package is vulnerable to Deserialization of Untrusted Data. The lookup() and activateOptions() methods in the JMSAppender class allow JNDI lookup requests to be made when the TopicBindingName and TopicConnectionFactoryBindingName specify a trusted host. Lookups made to this host may be used by attackers to request a serialized malicious Java Object that can be deserialized and executed, leading to Remote Code Execution (RCE).

        Note that this vulnerability is different from CVE-2021-44228 and requires the attacker to be in control of the third party host that is specified in the configuration, or write access to the Log4j configuration file in order to specify a malicious lookup host directly. This vulnerability also only affects the 1.x.x component of Log4j released under the log4j:log4j group and artifact IDs.

        Advisory Deviation Notice: The Sonatype security research team discovered that the root cause of the vulnerability is in all versions of log4j:log4j, not just in the 1.2.x branch as the advisory states.

        Detection

        The application is vulnerable by using this component under the following circumstances:

        • The configuration file specifies an allowed third-party JNDI lookup host for the JMSAppender
        • the javax.jms.* API is included in the application's CLASSPATH

        Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2031667#c28

        Recommendation

        The 1.x.x component has reach End of Life, and users should upgrade to a non-vulnerable version of org.apache.logging.log4j:log4j-core as this component includes other security vulnerabilities that are not fixed.

        References:

        CVSS Score: 8.1

        CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

      MODERATE Vulnerabilities (1)

        [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen...

        Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    pkg:maven/log4j/[email protected]
      CRITICAL Vulnerabilities (2)
        CVE-2019-17571

        [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat...

        Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CVE-2021-4104

        [CVE-2021-4104] JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when...

        JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

        ===================================================
        The following information is provided by Sonatype Nexus Intelligence. Nexus Intelligence is the only security research service that performs "secondary expansion" to determine if newly discovered vulnerabilities are also present in other components.

        Learn more about Nexus Intelligence -- https://www.sonatype.com/products/intelligence

        Explanation

        The log4j:log4j package is vulnerable to Deserialization of Untrusted Data. The lookup() and activateOptions() methods in the JMSAppender class allow JNDI lookup requests to be made when the TopicBindingName and TopicConnectionFactoryBindingName specify a trusted host. Lookups made to this host may be used by attackers to request a serialized malicious Java Object that can be deserialized and executed, leading to Remote Code Execution (RCE).

        Note that this vulnerability is different from CVE-2021-44228 and requires the attacker to be in control of the third party host that is specified in the configuration, or write access to the Log4j configuration file in order to specify a malicious lookup host directly. This vulnerability also only affects the 1.x.x component of Log4j released under the log4j:log4j group and artifact IDs.

        Advisory Deviation Notice: The Sonatype security research team discovered that the root cause of the vulnerability is in all versions of log4j:log4j, not just in the 1.2.x branch as the advisory states.

        Detection

        The application is vulnerable by using this component under the following circumstances:

        • The configuration file specifies an allowed third-party JNDI lookup host for the JMSAppender
        • the javax.jms.* API is included in the application's CLASSPATH

        Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2031667#c28

        Recommendation

        The 1.x.x component has reach End of Life, and users should upgrade to a non-vulnerable version of org.apache.logging.log4j:log4j-core as this component includes other security vulnerabilities that are not fixed.

        References:

        CVSS Score: 8.1

        CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

      MODERATE Vulnerabilities (1)

        [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen...

        Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)

@al-niessner
Copy link
Contributor

I made similar changes on #20 so given the conflicts you may want to simply abandon this change.

@jordanpadams
Copy link
Member

@al-niessner we probably just need to try this again but with the latest codebase

@al-niessner
Copy link
Contributor

Actually, I similarly had to rename all the sub modules and fix up the POMs to make it all self consistent that I am strong suggesting that keeping this is not all that useful and was giving you a graceful out with the conflicts.

@jordanpadams
Copy link
Member

per tag-up closing this PR. will re-do

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@al-niessner al-niessner Awaiting requested review from al-niessner al-niessner is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rename engineering package naming to registry
3 participants
@tloubrieu-jpl @al-niessner @jordanpadams