Sormas-project: security update vulnerable dependencies

Created on 17 Dec 2020  路  4Comments  路  Source: hzi-braunschweig/SORMAS-Project

Bug Description

Sormas uses these vulnerable dependencies
[ERROR] apache-jsp-8.0.9.M3.jar: CVE-2020-8022, CVE-2016-5388, CVE-2016-8735, CVE-2018-8014, CVE-2017-5648, CVE-2017-12617
[ERROR] apache-jsp-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] htmlunit-2.19.jar: CVE-2020-5529
[ERROR] htmlunit-core-js-2.17.jar: CVE-2020-5529
[ERROR] jetty-server-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] jetty-xml-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] tapestry-4.0.2.jar: CVE-2020-17531
[ERROR] websocket-client-9.2.13.v20150730.jar: CVE-2017-7658, CVE-2017-7657

Steps to Reproduce

  1. add owasp-dependency-check to sormas-base/pom.xml
  2. mvn org.owasp:dependency-check-maven:6.0.3:check
[ERROR] apache-jsp-8.0.9.M3.jar: CVE-2020-8022, CVE-2016-5388, CVE-2016-8735, CVE-2018-8014, CVE-2017-5648, CVE-2017-12617
[ERROR] apache-jsp-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] htmlunit-2.19.jar: CVE-2020-5529
[ERROR] htmlunit-core-js-2.17.jar: CVE-2020-5529
[ERROR] jetty-server-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] jetty-xml-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] tapestry-4.0.2.jar: CVE-2020-17531
[ERROR] websocket-client-9.2.13.v20150730.jar: CVE-2017-7658, CVE-2017-7657

These depencies were not updated in
https://github.com/hzi-braunschweig/SORMAS-Project/issues/3584
Althoug https://github.com/hzi-braunschweig/SORMAS-Project/pull/3626 already listed them as vulnerable.

Expected Behavior

no vulnerable dependencies in Sormas

Screenshots

System Details

  • Device:
  • SORMAS version: current github version
  • Android version/Browser:
  • Server URL:
  • User Role:

Additional Information

bug

Most helpful comment

Hm, what are "used dependencies"?
mvn org.owasp:dependency-check-maven:6.0.3:check outputs that sormas is depending on vulnerable depenencies like htmlunit.

And mvn dependency:tree -Dverbose shows that e.g. the vulnerable jetty-xml-9.2.14.v20151106.jar is a dependency

[INFO] +- com.vaadin:vaadin-client-compiler:jar:8.12.1:provided
[INFO] | +- (com.vaadin:vaadin-client:jar:8.12.1:provided - omitted for duplicate)
[INFO] | +- com.google.gwt:gwt-dev:jar:2.8.2:provided
[INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:provided
[INFO] | | +- com.google.code.gson:gson:jar:2.6.2:provided
[INFO] | | +- org.ow2.asm:asm:jar:5.0.3:provided
[INFO] | | +- org.ow2.asm:asm-util:jar:5.0.3:provided
[INFO] | | | - org.ow2.asm:asm-tree:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- org.ow2.asm:asm-commons:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm-tree:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- colt:colt:jar:1.2.0:provided
[INFO] | | +- ant:ant:jar:1.6.5:provided
[INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] | | +- commons-io:commons-io:jar:2.8.0:provided (version managed from 2.4)
[INFO] | | +- com.ibm.icu:icu4j:jar:50.1.1:provided
[INFO] | | +- tapestry:tapestry:jar:4.0.2:provided
[INFO] | | +- net.sourceforge.htmlunit:htmlunit:jar:2.19:provided
[INFO] | | | +- xalan:xalan:jar:2.7.2:provided
[INFO] | | | | - xalan:serializer:jar:2.7.2:provided
[INFO] | | | | - (xml-apis:xml-apis:jar:1.3.04:provided - omitted for conflict with 1.4.01)
[INFO] | | | +- (commons-collections:commons-collections:jar:3.2.2:provided - version managed from 3.2.1; omitted for duplicate)
[INFO] | | | +- org.apache.commons:commons-lang3:jar:3.11:provided (version managed from 3.4)
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:provided (version managed from 4.5.1)
[INFO] | | | | +- org.apache.httpcomponents:httpcore:jar:4.4.14:provided (version managed from 4.4.13)
[INFO] | | | | +- (commons-logging:commons-logging:jar:1.2:provided - omitted for duplicate)
[INFO] | | | | - (commons-codec:commons-codec:jar:1.15:provided - version managed from 1.10; omitted for duplicate)
[INFO] | | | +- org.apache.httpcomponents:httpmime:jar:4.5.1:provided
[INFO] | | | | - (org.apache.httpcomponents:httpclient:jar:4.5.13:provided - version managed from 4.5.1; omitted for duplicate)
[INFO] | | | +- commons-codec:commons-codec:jar:1.15:provided
[INFO] | | | +- net.sourceforge.htmlunit:htmlunit-core-js:jar:2.17:provided
[INFO] | | | +- xerces:xercesImpl:jar:2.11.0:provided
[INFO] | | | | - xml-apis:xml-apis:jar:1.4.01:provided
[INFO] | | | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:provided
[INFO] | | | +- net.sourceforge.cssparser:cssparser:jar:0.9.18:provided
[INFO] | | | | - (org.w3c.css:sac:jar:1.3:provided - omitted for duplicate)
[INFO] | | | +- (commons-io:commons-io:jar:2.8.0:provided - version managed from 2.4; omitted for duplicate)
[INFO] | | | +- commons-logging:commons-logging:jar:1.2:provided
[INFO] | | | - org.eclipse.jetty.websocket:websocket-client:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | +- (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | - org.eclipse.jetty.websocket:websocket-common:jar:9.2.13.v20150730:provided
[INFO] | | | +- org.eclipse.jetty.websocket:websocket-api:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | | - (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | +- org.eclipse.jetty:jetty-webapp:jar:9.2.14.v20151106:provided
[INFO] | | | +- org.eclipse.jetty:jetty-xml:jar:9.2.14.v20151106:provided

I trust the owasp plugin and would update all dependencies that are marked as vulnerable. Do you use a different tool?
Especially because Sormas is handling health data.
As a privacy officer and/or security officer of an organization intending to use Sormas I would not allow it to be used. At least there needs to be a detailed security concept explaining why using a vulnerable dependencies are not a problem.

All 4 comments

As stated already twice, these are no used dependencies in the product (as far as I did track it down), for me this ticket is _invalid_.

Hm, what are "used dependencies"?
mvn org.owasp:dependency-check-maven:6.0.3:check outputs that sormas is depending on vulnerable depenencies like htmlunit.

And mvn dependency:tree -Dverbose shows that e.g. the vulnerable jetty-xml-9.2.14.v20151106.jar is a dependency

[INFO] +- com.vaadin:vaadin-client-compiler:jar:8.12.1:provided
[INFO] | +- (com.vaadin:vaadin-client:jar:8.12.1:provided - omitted for duplicate)
[INFO] | +- com.google.gwt:gwt-dev:jar:2.8.2:provided
[INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:provided
[INFO] | | +- com.google.code.gson:gson:jar:2.6.2:provided
[INFO] | | +- org.ow2.asm:asm:jar:5.0.3:provided
[INFO] | | +- org.ow2.asm:asm-util:jar:5.0.3:provided
[INFO] | | | - org.ow2.asm:asm-tree:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- org.ow2.asm:asm-commons:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm-tree:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- colt:colt:jar:1.2.0:provided
[INFO] | | +- ant:ant:jar:1.6.5:provided
[INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] | | +- commons-io:commons-io:jar:2.8.0:provided (version managed from 2.4)
[INFO] | | +- com.ibm.icu:icu4j:jar:50.1.1:provided
[INFO] | | +- tapestry:tapestry:jar:4.0.2:provided
[INFO] | | +- net.sourceforge.htmlunit:htmlunit:jar:2.19:provided
[INFO] | | | +- xalan:xalan:jar:2.7.2:provided
[INFO] | | | | - xalan:serializer:jar:2.7.2:provided
[INFO] | | | | - (xml-apis:xml-apis:jar:1.3.04:provided - omitted for conflict with 1.4.01)
[INFO] | | | +- (commons-collections:commons-collections:jar:3.2.2:provided - version managed from 3.2.1; omitted for duplicate)
[INFO] | | | +- org.apache.commons:commons-lang3:jar:3.11:provided (version managed from 3.4)
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:provided (version managed from 4.5.1)
[INFO] | | | | +- org.apache.httpcomponents:httpcore:jar:4.4.14:provided (version managed from 4.4.13)
[INFO] | | | | +- (commons-logging:commons-logging:jar:1.2:provided - omitted for duplicate)
[INFO] | | | | - (commons-codec:commons-codec:jar:1.15:provided - version managed from 1.10; omitted for duplicate)
[INFO] | | | +- org.apache.httpcomponents:httpmime:jar:4.5.1:provided
[INFO] | | | | - (org.apache.httpcomponents:httpclient:jar:4.5.13:provided - version managed from 4.5.1; omitted for duplicate)
[INFO] | | | +- commons-codec:commons-codec:jar:1.15:provided
[INFO] | | | +- net.sourceforge.htmlunit:htmlunit-core-js:jar:2.17:provided
[INFO] | | | +- xerces:xercesImpl:jar:2.11.0:provided
[INFO] | | | | - xml-apis:xml-apis:jar:1.4.01:provided
[INFO] | | | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:provided
[INFO] | | | +- net.sourceforge.cssparser:cssparser:jar:0.9.18:provided
[INFO] | | | | - (org.w3c.css:sac:jar:1.3:provided - omitted for duplicate)
[INFO] | | | +- (commons-io:commons-io:jar:2.8.0:provided - version managed from 2.4; omitted for duplicate)
[INFO] | | | +- commons-logging:commons-logging:jar:1.2:provided
[INFO] | | | - org.eclipse.jetty.websocket:websocket-client:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | +- (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | - org.eclipse.jetty.websocket:websocket-common:jar:9.2.13.v20150730:provided
[INFO] | | | +- org.eclipse.jetty.websocket:websocket-api:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | | - (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | +- org.eclipse.jetty:jetty-webapp:jar:9.2.14.v20151106:provided
[INFO] | | | +- org.eclipse.jetty:jetty-xml:jar:9.2.14.v20151106:provided

I trust the owasp plugin and would update all dependencies that are marked as vulnerable. Do you use a different tool?
Especially because Sormas is handling health data.
As a privacy officer and/or security officer of an organization intending to use Sormas I would not allow it to be used. At least there needs to be a detailed security concept explaining why using a vulnerable dependencies are not a problem.

vaadin-client-compiler is not deployed on a running system and that is what I meant. But as you pointed out, some dependencies might be used at compile time. Not sure yet if there are vulnerabilities that apply for the use at compile time, but worth the look.

Independently of this specific dependency and from a security perspective, I think that the project's security should not rely on manually tracking down if packages in the dependency tree are (directly or indirectly) called/used in the code of Sormas.

In general, vulnerable code does not need to be called to cause potential harm. If an attacker manages to manipulate the control flow of a program, she could be able to call a vulnerable code piece that is "not used".

It would be great to add checks for vulnerable dependencies to the CI (#3819) to automate the process for finding them.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Candice-Louw picture Candice-Louw  路  6Comments

kwa20 picture kwa20  路  8Comments

MateStrysewske picture MateStrysewske  路  5Comments

shawnsarwar picture shawnsarwar  路  6Comments

bernardsilenou picture bernardsilenou  路  5Comments