[jira] [Updated] (OODT-1041) Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

che (Jira) Thu, 10 Feb 2022 02:58:04 -0800


     [ 
https://issues.apache.org/jira/browse/OODT-1041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


che updated OODT-1041:
----------------------
    Description: 
Hi, In {*}{{*}}oodt-master/curator/sso{*}{{*}}，there is a dependency 
*{*}org.apache.httpcomponents:httpclient:4.4{*}* that calls the risk method.

[CVE-2020-13956]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956])

The scope of this CVE affected version is {*}{{*}}[,4.5.13){{*}}{*}

After further analysis, in this project, the main Api called is 
{*}{{*}}<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost 
extractHost(java.net.URI)>{{*}}{*}

Risk method repair link : 
[GitHub]([https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22])

{*}{{*}}CVE Bug Invocation Path--{{*}}{*}

{*}{{*}}Path Length : 6{{*}}{*}

```
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost 
extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost 
determineTarget(org.apache.http.client.methods.HttpUriRequest)> 
(org.apache.http.impl.client.CloseableHttpClient.java:[92]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: 
org.apache.http.client.methods.CloseableHttpResponse 
execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)>
 (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: 
org.apache.http.client.methods.CloseableHttpResponse 
execute(org.apache.http.client.methods.HttpUriRequest)> 
(org.apache.http.impl.client.CloseableHttpClient.java:[107]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: 
org.apache.http.HttpResponse 
execute(org.apache.http.client.methods.HttpUriRequest)> 
(org.apache.http.impl.client.CloseableHttpClient.java:[55]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.oodt.security.sso.opensso.SSOProxy: 
org.apache.oodt.security.sso.opensso.IdentityDetails 
readIdentity(java.lang.String,java.lang.String)> 
(org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in 
/detect/unzip/oodt-master/curator/sso/target/classes
```

{*}{{*}}Dependency tree--{{*}}{*}

```
[INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] | - org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] +- javax.servlet:servlet-api:jar:2.4:compile
[INFO] - org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
[INFO] +- com.google.guava:guava:jar:19.0:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] | +- commons-pool:commons-pool:jar:1.6:compile
[INFO] | +- junit:junit:jar:4.12:compile
[INFO] | | - org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] | | - xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
[INFO] | +- joda-time:joda-time:jar:2.9.4:compile
[INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
[INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
[INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
[INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
[INFO] | | +- org.tukaani:xz:jar:1.5:compile
[INFO] | | - org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | - org.apache.avro:avro-ipc:jar:1.8.2:compile
[INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
[INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
[INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | - org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
[INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
[INFO] +- org.apache.tika:tika-core:jar:1.13:compile
[INFO] +- org.springframework:spring-core:jar:2.5.4:compile
[INFO] - org.springframework:spring-hibernate3:jar:2.0.8:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
[INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
[INFO] | +- asm:asm-attrs:jar:1.5.3:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | +- antlr:antlr:jar:2.7.6:compile
[INFO] | +- cglib:cglib:jar:2.1_3:compile
[INFO] | - asm:asm:jar:1.5.3:compile
[INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
[INFO] +- org.springframework:spring-context:jar:2.5.4:compile
[INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
[INFO] - org.springframework:spring-jdbc:jar:2.0.8:compile
```

{*}{{*}}{_}Suggested solutions:{_}{{*}}{*}

Update dependency version

 

Thank you very much.

  was:
Hi, In *{*}oodt-master/curator/sso{*}{*}，there is a dependency 
**org.apache.httpcomponents:httpclient:4.4{*}* that calls the risk method.

[CVE-2020-13956]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956])

The scope of this CVE affected version is *{*}[4.7,4.13.1)){*}*

After further analysis, in this project, the main Api called is 
*{*}<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost 
extractHost(java.net.URI)>{*}*

Risk method repair link : 
[GitHub]([https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22])

*{*}CVE Bug Invocation Path--{*}*

*{*}Path Length : 6{*}*

```
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost 
extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost 
determineTarget(org.apache.http.client.methods.HttpUriRequest)> 
(org.apache.http.impl.client.CloseableHttpClient.java:[92]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: 
org.apache.http.client.methods.CloseableHttpResponse 
execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)>
 (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: 
org.apache.http.client.methods.CloseableHttpResponse 
execute(org.apache.http.client.methods.HttpUriRequest)> 
(org.apache.http.impl.client.CloseableHttpClient.java:[107]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: 
org.apache.http.HttpResponse 
execute(org.apache.http.client.methods.HttpUriRequest)> 
(org.apache.http.impl.client.CloseableHttpClient.java:[55]) in 
/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.oodt.security.sso.opensso.SSOProxy: 
org.apache.oodt.security.sso.opensso.IdentityDetails 
readIdentity(java.lang.String,java.lang.String)> 
(org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in 
/detect/unzip/oodt-master/curator/sso/target/classes
```

*{*}Dependency tree--{*}*

```
[INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] | - org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] +- javax.servlet:servlet-api:jar:2.4:compile
[INFO] - org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
[INFO] +- com.google.guava:guava:jar:19.0:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] | +- commons-pool:commons-pool:jar:1.6:compile
[INFO] | +- junit:junit:jar:4.12:compile
[INFO] | | - org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] | | - xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
[INFO] | +- joda-time:joda-time:jar:2.9.4:compile
[INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
[INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
[INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
[INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
[INFO] | | +- org.tukaani:xz:jar:1.5:compile
[INFO] | | - org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | - org.apache.avro:avro-ipc:jar:1.8.2:compile
[INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
[INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
[INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | - org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
[INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
[INFO] +- org.apache.tika:tika-core:jar:1.13:compile
[INFO] +- org.springframework:spring-core:jar:2.5.4:compile
[INFO] - org.springframework:spring-hibernate3:jar:2.0.8:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
[INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
[INFO] | +- asm:asm-attrs:jar:1.5.3:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | +- antlr:antlr:jar:2.7.6:compile
[INFO] | +- cglib:cglib:jar:2.1_3:compile
[INFO] | - asm:asm:jar:1.5.3:compile
[INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
[INFO] +- org.springframework:spring-context:jar:2.5.4:compile
[INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
[INFO] - org.springframework:spring-jdbc:jar:2.0.8:compile
```

*{*}_Suggested solutions:_{*}*

Update dependency version

 

Thank you very much.


> Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
> -----------------------------------------------------------------------
>
>                 Key: OODT-1041
>                 URL: https://issues.apache.org/jira/browse/OODT-1041
>             Project: OODT
>          Issue Type: Bug
>            Reporter: che
>            Priority: Major
>
> Hi, In {*}{{*}}oodt-master/curator/sso{*}{{*}}，there is a dependency 
> *{*}org.apache.httpcomponents:httpclient:4.4{*}* that calls the risk method.
> [CVE-2020-13956]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956])
> The scope of this CVE affected version is {*}{{*}}[,4.5.13){{*}}{*}
> After further analysis, in this project, the main Api called is 
> {*}{{*}}<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost 
> extractHost(java.net.URI)>{{*}}{*}
> Risk method repair link : 
> [GitHub]([https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22])
> {*}{{*}}CVE Bug Invocation Path--{{*}}{*}
> {*}{{*}}Path Length : 6{{*}}{*}
> ```
> <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost 
> extractHost(java.net.URI)>
> at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost 
> determineTarget(org.apache.http.client.methods.HttpUriRequest)> 
> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in 
> /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.http.impl.client.CloseableHttpClient: 
> org.apache.http.client.methods.CloseableHttpResponse 
> execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)>
>  (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in 
> /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.http.impl.client.CloseableHttpClient: 
> org.apache.http.client.methods.CloseableHttpResponse 
> execute(org.apache.http.client.methods.HttpUriRequest)> 
> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in 
> /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.http.impl.client.CloseableHttpClient: 
> org.apache.http.HttpResponse 
> execute(org.apache.http.client.methods.HttpUriRequest)> 
> (org.apache.http.impl.client.CloseableHttpClient.java:[55]) in 
> /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.oodt.security.sso.opensso.SSOProxy: 
> org.apache.oodt.security.sso.opensso.IdentityDetails 
> readIdentity(java.lang.String,java.lang.String)> 
> (org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in 
> /detect/unzip/oodt-master/curator/sso/target/classes
> ```
> {*}{{*}}Dependency tree--{{*}}{*}
> ```
> [INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
> [INFO] +- commons-codec:commons-codec:jar:1.3:compile
> [INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
> [INFO] | - org.apache.httpcomponents:httpcore:jar:4.4:compile
> [INFO] +- javax.servlet:servlet-api:jar:2.4:compile
> [INFO] - org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
> [INFO] +- com.google.guava:guava:jar:19.0:compile
> [INFO] +- commons-io:commons-io:jar:2.5:compile
> [INFO] +- commons-lang:commons-lang:jar:2.6:compile
> [INFO] +- commons-logging:commons-logging:jar:1.2:compile
> [INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
> [INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
> [INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
> [INFO] | +- commons-pool:commons-pool:jar:1.6:compile
> [INFO] | +- junit:junit:jar:4.12:compile
> [INFO] | | - org.hamcrest:hamcrest-core:jar:1.3:compile
> [INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
> [INFO] | | - xml-apis:xml-apis:jar:1.3.04:compile
> [INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
> [INFO] | +- joda-time:joda-time:jar:2.9.4:compile
> [INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
> [INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
> [INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
> [INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
> [INFO] | | +- org.tukaani:xz:jar:1.5:compile
> [INFO] | | - org.slf4j:slf4j-api:jar:1.7.12:compile
> [INFO] | - org.apache.avro:avro-ipc:jar:1.8.2:compile
> [INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
> [INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
> [INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
> [INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
> [INFO] | - org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
> [INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
> [INFO] +- org.apache.tika:tika-core:jar:1.13:compile
> [INFO] +- org.springframework:spring-core:jar:2.5.4:compile
> [INFO] - org.springframework:spring-hibernate3:jar:2.0.8:compile
> [INFO] +- aopalliance:aopalliance:jar:1.0:compile
> [INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
> [INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
> [INFO] | +- asm:asm-attrs:jar:1.5.3:compile
> [INFO] | +- dom4j:dom4j:jar:1.6.1:compile
> [INFO] | +- antlr:antlr:jar:2.7.6:compile
> [INFO] | +- cglib:cglib:jar:2.1_3:compile
> [INFO] | - asm:asm:jar:1.5.3:compile
> [INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
> [INFO] +- org.springframework:spring-context:jar:2.5.4:compile
> [INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
> [INFO] - org.springframework:spring-jdbc:jar:2.0.8:compile
> ```
> {*}{{*}}{_}Suggested solutions:{_}{{*}}{*}
> Update dependency version
>  
> Thank you very much.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (OODT-1041) Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Reply via email to