[jira] [Created] (GEODE-10450) Update spring version for CVE-2023-20861

2023-12-18 Thread Ankush Mittal (Jira) 
Ankush Mittal created GEODE-10450:
-

 Summary: Update spring version for CVE-2023-20861
 Key: GEODE-10450
 URL: https://issues.apache.org/jira/browse/GEODE-10450
 Project: Geode
  Issue Type: Bug
Affects Versions: 1.15.1
Reporter: Ankush Mittal


As per [https://nvd.nist.gov/vuln/detail/CVE-2023-20861],

"{_}In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 
5.2.22.RELEASE, and older unsupported versions, it is possible for a user to 
provide a specially crafted SpEL expression that may cause a denial-of-service 
(DoS) condition.{_}"

 

Geode bundles version 5.3.20 which is vulnerable as per the CVE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (GEODE-10449) Update shiro-core to version 1.12.0 for CVE-2023-34478

2023-12-01 Thread Ankush Mittal (Jira) 
Ankush Mittal created GEODE-10449:
-

 Summary: Update shiro-core to version 1.12.0 for CVE-2023-34478
 Key: GEODE-10449
 URL: https://issues.apache.org/jira/browse/GEODE-10449
 Project: Geode
  Issue Type: Bug
Affects Versions: 1.15.1
Reporter: Ankush Mittal


As per [https://nvd.nist.gov/vuln/detail/CVE-2023-34478] ,

_"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path 
traversal attack that results in an authentication bypass when used together 
with APIs or other web frameworks that route requests based on non-normalized 
requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"_

Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per 
the CVE.

 

There is another CVE related to shiro-core 1.9.1, 
[https://nvd.nist.gov/vuln/detail/CVE-2023-22602] ,

which states

"When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a 
specially crafted HTTP request may cause an authentication bypass. The 
authentication bypass occurs when Shiro and Spring Boot are using different 
pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant 
style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the 
following Spring Boot configuration value: 
`spring.mvc.pathmatch.matching-strategy = ant_path_matcher`"

 

Fix for the mentioned vulnerabilities seems to be merged in "develop" branch 
via commit 
[https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc]


Logging this Jira to update the same in 1.15.1 branch as well.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (GEODE-10443) Update shiro-core to version 1.11.0 for CVE-2022-40664

2023-03-01 Thread Ankush Mittal (Jira) 


 [ 
https://issues.apache.org/jira/browse/GEODE-10443?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ankush Mittal updated GEODE-10443:
--
Description: 
As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,

_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when 
forwarding or including via RequestDispatcher."_

Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per 
the CVE.

Also although the CVE doesn't include "1.10.0", but since more latest version 
"1.11.0" is available, logged ticket to bundle the same.

  was:
As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,

_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when 
forwarding or including via RequestDispatcher."_

 

Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per 
the CVE.

 

Also although the CVE doesn't include "1.10.0", but since more latest version 
"1.11.0" is available, logged ticket to bundle the same.


> Update shiro-core to version 1.11.0 for CVE-2022-40664
> --
>
> Key: GEODE-10443
> URL: https://issues.apache.org/jira/browse/GEODE-10443
> Project: Geode
>  Issue Type: Bug
>Affects Versions: 1.15.1
>Reporter: Ankush Mittal
>Priority: Major
>  Labels: needsTriage
>
> As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,
> _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro 
> when forwarding or including via RequestDispatcher."_
> Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as 
> per the CVE.
> Also although the CVE doesn't include "1.10.0", but since more latest version 
> "1.11.0" is available, logged ticket to bundle the same.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (GEODE-10443) Update shiro-core to version 1.11.0 for CVE-2022-40664

2023-03-01 Thread Ankush Mittal (Jira) 
Ankush Mittal created GEODE-10443:
-

 Summary: Update shiro-core to version 1.11.0 for CVE-2022-40664
 Key: GEODE-10443
 URL: https://issues.apache.org/jira/browse/GEODE-10443
 Project: Geode
  Issue Type: Bug
Affects Versions: 1.15.1
Reporter: Ankush Mittal


As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,

_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when 
forwarding or including via RequestDispatcher."_

 

Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per 
the CVE.

 

Also although the CVE doesn't include "1.10.0", but since more latest version 
"1.11.0" is available, logged ticket to bundle the same.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (GEODE-10415) CVEs detected in latest geode

2022-11-21 Thread Ankush Mittal (Jira) 


[ 
https://issues.apache.org/jira/browse/GEODE-10415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17637007#comment-17637007
 ] 

Ankush Mittal commented on GEODE-10415:
---

Some of the vulnerabilities impact older version of Geode as well.

Like vulnerability related to shiro-core in 1.13.x branch [0]

Are these vulnerabilities fix going to be part of older impacted branches as 
well.

[0] https://issues.apache.org/jira/browse/GEODE-10406 

> CVEs detected in latest geode
> -
>
> Key: GEODE-10415
> URL: https://issues.apache.org/jira/browse/GEODE-10415
> Project: Geode
>  Issue Type: Bug
>  Components: build
>Affects Versions: 1.15.0
>Reporter: Shruti
>Assignee: Mario Kevo
>Priority: Blocker
>  Labels: pull-request-available
> Fix For: 1.15.1, 1.16.0
>
>
> We are detecting the following CVEs with geode
>  High or critical vulnerabilities: 21
> The spring-core is likely Not Affected. But we would like to know about the 
> rest of these listed CVEs. Any info is appreciated
> {{ }}
> {{NAME                            INSTALLED              FIXED-IN     TYPE    
>       VULNERABILITY        SEVERITY}}
> {{jetty-security                  9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-server                    9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-servlet                   9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-util                      9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-util-ajax                 9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-webapp                    9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-xml                       9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jgroups                         3.6.14.Final           4.0.0        
> java-archive  GHSA-rc7h-x6cq-988q  Critical}}
> {{shiro-cache                     1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-config-core               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-config-ogdl               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-core                      1.9.0                  1.9.1        
> java-archive  GHSA-4cf5-xmhp-3xj7  Critical}}
> {{shiro-core                      1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-crypto-cipher             1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-crypto-core               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-crypto-hash               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-event                     1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-lang                      1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{spring-core                     5.3.20                              
> java-archive  CVE-2016-127     Critical}}
> {{jetty-http                      9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-io                        9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (GEODE-10406) Update shiro-core to version 1.9.1 for CVE-2022-32532

2022-08-05 Thread Ankush Mittal (Jira) 
Ankush Mittal created GEODE-10406:
-

 Summary: Update shiro-core to version 1.9.1 for CVE-2022-32532 
 Key: GEODE-10406
 URL: https://issues.apache.org/jira/browse/GEODE-10406
 Project: Geode
  Issue Type: Bug
Affects Versions: 1.13.7
Reporter: Ankush Mittal


As per [https://nvd.nist.gov/vuln/detail/CVE-2022-32532]

"Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be 
bypassed on some servlet containers. Applications using RegExPatternMatcher 
with `.` in the regular expression are possibly vulnerable to an authorization 
bypass."

Geode bundles version 1.8.0 of shiro-core jar which is vulnerable as per the 
CVE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)