Re: [Geotools-gt2-users] Apache Axis CVE

Tue, 24 Sep 2019 12:34:57 -0700

Pretty sure this is not just gt-solr; I've seen an version bump to 22.x PR flagged as bringing in those vulnerabilities and we don't have an explicit gt-solr dependency in our project.
looking further this seems to be caused by the jgridshift dependency in various places, eg. org.geotools.xsd:gt-xsd-gml3 is affected as well: 

[INFO] +- org.geotools.xsd:gt-xsd-gml3:jar:22.0:compile
[INFO] |  +- org.geotools:gt-referencing:jar:22.0:compile
[INFO] |  |  +- org.ejml:ejml-ddense:jar:0.34:compile
[INFO] |  |  |  \- org.ejml:ejml-core:jar:0.34:compile
[INFO] |  |  +- org.geotools:gt-metadata:jar:22.0:compile
[INFO] |  |  |  \- org.geotools:gt-opengis:jar:22.0:compile

[INFO] |  |  |     \- 
systems.uom:systems-common-java8:jar:0.7.2:compile

[INFO] |  |  |        +- tec.uom:uom-se:jar:1.0.8:compile
[INFO] |  |  |        |  +- javax.measure:unit-api:jar:1.0:compile

[INFO] |  |  |        |  \- 
tec.uom.lib:uom-lib-common:jar:1.0.2:compile

[INFO] |  |  |        +- si.uom:si-quantity:jar:0.7.1:compile
[INFO] |  |  |        \- si.uom:si-units-java8:jar:0.7.1:compile
[INFO] |  |  +- jgridshift:jgridshift:jar:1.1:compile
[INFO] |  |  |  +- javax:javaee-api:jar:7.0:compile
[INFO] |  |  |  |  \- com.sun.mail:javax.mail:jar:1.5.0:compile

[INFO] |  |  |  |     \- 
javax.activation:activation:jar:1.1:compile

[INFO] |  |  |  \- org.apache.axis:axis:jar:1.4:compile

[INFO] |  |  \- 
net.sf.geographiclib:GeographicLib-Java:jar:1.49:compile


and gt-main

[INFO] +- org.geotools:gt-main:jar:22.0:compile
[INFO] |  +- org.geotools:gt-referencing:jar:22.0:compile
[INFO] |  |  +- org.ejml:ejml-ddense:jar:0.34:compile
[INFO] |  |  |  \- org.ejml:ejml-core:jar:0.34:compile
[INFO] |  |  +- org.geotools:gt-metadata:jar:22.0:compile
[INFO] |  |  |  \- org.geotools:gt-opengis:jar:22.0:compile

[INFO] |  |  |     \- 
systems.uom:systems-common-java8:jar:0.7.2:compile

[INFO] |  |  |        +- tec.uom:uom-se:jar:1.0.8:compile
[INFO] |  |  |        |  +- javax.measure:unit-api:jar:1.0:compile

[INFO] |  |  |        |  \- 
tec.uom.lib:uom-lib-common:jar:1.0.2:compile

[INFO] |  |  |        +- si.uom:si-quantity:jar:0.7.1:compile
[INFO] |  |  |        \- si.uom:si-units-java8:jar:0.7.1:compile
[INFO] |  |  +- jgridshift:jgridshift:jar:1.1:compile
[INFO] |  |  |  +- javax:javaee-api:jar:7.0:compile
[INFO] |  |  |  |  \- com.sun.mail:javax.mail:jar:1.5.0:compile

[INFO] |  |  |  |     \- 
javax.activation:activation:jar:1.1:compile

[INFO] |  |  |  \- org.apache.axis:axis:jar:1.4:compile



From a quick search this seems to have been caused by bumping the 
jgridshift version to 1.1 in d4878ae1a5e66e49bf4c0eb92c6129bd43bc550e 
([GEOT-6354] GeoTools cannot open the GDA94 -> GDA2020 grid shift files)



jgridshift 1.0 didn't have the j2ee or axis dependencies, so anything up 
and including 21.3 is OK wr. these vulns.



Since the bump seems to fix a very specific issue you may be able to 
downgrade to 1.0 and live with that issue or add exclusions for the axis 
and j2ee dependencies and possibly have malfunctioning referencing, I 
have yet to try either.


Mark


On 9/24/19 7:10 PM, Aaron Hoffer wrote:

We would like to upgrade our gt-solr dependency to 22.0. However, it 
contains the Apache Axis library. That library has some known 
vulnerabilities



axis-1.4.jar (pkg:maven/org.apache.axis/axis@1.4, 
cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*) : CVE-2012-5784, 
CVE-2014-3596, CVE-2018-8032, CVE-2019-0227



In general, we are not allowed to use a dependency with a CVSS score 
of 5.0 or greater. I'm not sure what to do.



Here is the dependency tree:

+--- *org.geotools:gt-solr:22.0*
|  +--- org.geotools:gt-main:22.0
|  |    +--- org.geotools:gt-referencing:22.0
... cut ...
|  |    |    +--- jgridshift:jgridshift:1.1
|  |    |    |    +--- javax:javaee-api:7.0
|  |    |    |    |    \--- com.sun.mail:javax.mail:1.5.0
|  |    |    |    |         \--- javax.activation:activation:1.1
|    |    |    |    \--- *org.apache.axis:axis:1.4*


_______________________________________________
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users




_______________________________________________
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users






















					Reply via email to