Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-2976 in version 32.0.0 #6532

Closed
malfoj89 opened this issue Jun 2, 2023 · 12 comments
Closed

CVE-2023-2976 in version 32.0.0 #6532

malfoj89 opened this issue Jun 2, 2023 · 12 comments
Assignees
Labels
P2 package=io type=other Miscellaneous activities not covered by other type= labels

Comments

@malfoj89
Copy link

malfoj89 commented Jun 2, 2023

despite rn it is still present following owasp report and other people #2575

@cpovirk
Copy link
Member

cpovirk commented Jun 2, 2023

Hmm, thanks. Do you know where OWASP gets its data? I went from https://owasp.org/www-project-dependency-check/ to https://search.maven.org/artifact/org.owasp/dependency-check-maven/8.2.1/maven-plugin, which matches launchdarkly/java-server-sdk#308 (comment) and suggests that the plugin's docs are at https://jeremylong.github.io/DependencyCheck/dependency-check-maven/, which mentions the NISD NVD.

I see no entry for CVE-2023-2976 at the NISD NVD (since the number is AFAIK still only "reserved"). I'm not sure where else OWASP is getting information from, since the NISD NVD data doesn't appear to even know that that number is associated with Guava.

Notably, Sonatype's OSSIndex considers the issue to be resolved in that version:

image

@cpovirk
Copy link
Member

cpovirk commented Jun 2, 2023

Other 3rd party services and data sources such as the NPM Audit API, the OSS Index, RetireJS, and Bundler Audit are utilized for specific technologies.

I would expect OSS Index to be the only one from that list that's relevant to Java. But maybe there are other sources, too.

@cpovirk
Copy link
Member

cpovirk commented Jun 2, 2023

I'm able to add org.owasp:dependency-check-maven:8.2.1 to a project that depends on guava-32.0.0-android, set failBuildOnAnyVulnerability, watch it download a bunch of stuff, and AFAICT report no problems:

[INFO] Processing Complete for NVD CVE - 2023  (1516 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (140 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (571 ms)
[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 133788 NVD records
[INFO] Removed the CPE ecosystem on 3760 NVD records
[INFO] End database maintenance (9807 ms)
[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[INFO] Begin database defrag
[INFO] End database defrag (3453 ms)
[INFO] Check for updates complete (111806 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: /usr/local/google/home/cpovirk/clients/truth-green/truth/core/target/dependency-check-report.html

I also looked at https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Agoogle%3Aguava%3A*%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED&startIndex=80 and didn't see any entries after 30.1 (which is the second release in which Files.createTempDir was deprecated).

In contrast, if I downgrade to 29.0, I see an error:

guava-29.0-android.jar (pkg:maven/com.google.guava/[email protected], cpe:2.3:a:google:guava:29.0:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2020-8908

I wonder if it would help for people to run the OWASP plugin's update-only goal (or to delete any caches used by their CI, forcing it to re-download the data)? Maybe OSS Index temporarily considered CVE-2023-2976 to apply to 32.0.0 but some people's plugins haven't picked up their fix yet?

@cpovirk cpovirk self-assigned this Jun 2, 2023
@cpovirk
Copy link
Member

cpovirk commented Jun 2, 2023

Thanks. It would be nice if https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava let me see whether the data has changed over time. Are you in a position to try the update-only goal? Is there a repo I can clone and build to see if the error shows up on my machine?

@pwagland
Copy link

pwagland commented Jun 2, 2023

FWIW, earlier today https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/[email protected] most definitely showed a CVE in this release. Now it doesn't. So, if this is where the appropriate tool was getting data, then it should now be fixed, once caches are updated.

For me, in any case, this is no longer firing.

@cpovirk
Copy link
Member

cpovirk commented Jun 2, 2023

Excellent, thank you.

@cpovirk
Copy link
Member

cpovirk commented Jun 5, 2023

It sounds like the issue cleared up when Sonatype fixed their data. If anyone still sees trouble, let us know.

@JoergHeinicke5005
Copy link

NVD changed their entry for https://nvd.nist.gov/vuln/detail/CVE-2023-2976 today to match up to excluding 32.0.1, i.e., as if 32.0.0 would still be affected. So CVE-2023-2976 is again being reported against 32.0.0.

@sjamaan
Copy link

sjamaan commented Jun 29, 2023

NVD changed their entry for https://nvd.nist.gov/vuln/detail/CVE-2023-2976 today to match up to excluding 32.0.1, i.e., as if 32.0.0 would still be affected. So CVE-2023-2976 is again being reported against 32.0.0.

I just noticed this too. What the hell are they thinking? This is such a nuisance. Is there a way to contact them to fix this?

@cpovirk
Copy link
Member

cpovirk commented Jul 5, 2023

:( Thanks for the reports.

Does anyone know whether 32.0.0 is still reported as a problem? The NVD page show shows "Up to (excluding) 32.0.0," so perhaps this is fixed?

@pwagland
Copy link

pwagland commented Jul 6, 2023

This seems to be resolved in our reports now. Thanks for your responsivenesses!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
P2 package=io type=other Miscellaneous activities not covered by other type= labels
Projects
None yet
Development

No branches or pull requests

6 participants