[jira] [Created] (GEODE-10450) Update spring version for CVE-2023-20861
Ankush Mittal created GEODE-10450: - Summary: Update spring version for CVE-2023-20861 Key: GEODE-10450 URL: https://issues.apache.org/jira/browse/GEODE-10450 Project: Geode Issue Type: Bug Affects Versions: 1.15.1 Reporter: Ankush Mittal As per [https://nvd.nist.gov/vuln/detail/CVE-2023-20861], "{_}In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.{_}" Geode bundles version 5.3.20 which is vulnerable as per the CVE. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (GEODE-10449) Update shiro-core to version 1.12.0 for CVE-2023-34478
Ankush Mittal created GEODE-10449: - Summary: Update shiro-core to version 1.12.0 for CVE-2023-34478 Key: GEODE-10449 URL: https://issues.apache.org/jira/browse/GEODE-10449 Project: Geode Issue Type: Bug Affects Versions: 1.15.1 Reporter: Ankush Mittal As per [https://nvd.nist.gov/vuln/detail/CVE-2023-34478] , _"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"_ Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE. There is another CVE related to shiro-core 1.9.1, [https://nvd.nist.gov/vuln/detail/CVE-2023-22602] , which states "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`" Fix for the mentioned vulnerabilities seems to be merged in "develop" branch via commit [https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc] Logging this Jira to update the same in 1.15.1 branch as well. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (GEODE-10443) Update shiro-core to version 1.11.0 for CVE-2022-40664
[ https://issues.apache.org/jira/browse/GEODE-10443?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankush Mittal updated GEODE-10443: -- Description: As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] , _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."_ Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE. Also although the CVE doesn't include "1.10.0", but since more latest version "1.11.0" is available, logged ticket to bundle the same. was: As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] , _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."_ Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE. Also although the CVE doesn't include "1.10.0", but since more latest version "1.11.0" is available, logged ticket to bundle the same. > Update shiro-core to version 1.11.0 for CVE-2022-40664 > -- > > Key: GEODE-10443 > URL: https://issues.apache.org/jira/browse/GEODE-10443 > Project: Geode > Issue Type: Bug >Affects Versions: 1.15.1 >Reporter: Ankush Mittal >Priority: Major > Labels: needsTriage > > As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] , > _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro > when forwarding or including via RequestDispatcher."_ > Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as > per the CVE. > Also although the CVE doesn't include "1.10.0", but since more latest version > "1.11.0" is available, logged ticket to bundle the same. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (GEODE-10443) Update shiro-core to version 1.11.0 for CVE-2022-40664
Ankush Mittal created GEODE-10443: - Summary: Update shiro-core to version 1.11.0 for CVE-2022-40664 Key: GEODE-10443 URL: https://issues.apache.org/jira/browse/GEODE-10443 Project: Geode Issue Type: Bug Affects Versions: 1.15.1 Reporter: Ankush Mittal As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] , _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."_ Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE. Also although the CVE doesn't include "1.10.0", but since more latest version "1.11.0" is available, logged ticket to bundle the same. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (GEODE-10415) CVEs detected in latest geode
[ https://issues.apache.org/jira/browse/GEODE-10415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17637007#comment-17637007 ] Ankush Mittal commented on GEODE-10415: --- Some of the vulnerabilities impact older version of Geode as well. Like vulnerability related to shiro-core in 1.13.x branch [0] Are these vulnerabilities fix going to be part of older impacted branches as well. [0] https://issues.apache.org/jira/browse/GEODE-10406 > CVEs detected in latest geode > - > > Key: GEODE-10415 > URL: https://issues.apache.org/jira/browse/GEODE-10415 > Project: Geode > Issue Type: Bug > Components: build >Affects Versions: 1.15.0 >Reporter: Shruti >Assignee: Mario Kevo >Priority: Blocker > Labels: pull-request-available > Fix For: 1.15.1, 1.16.0 > > > We are detecting the following CVEs with geode > High or critical vulnerabilities: 21 > The spring-core is likely Not Affected. But we would like to know about the > rest of these listed CVEs. Any info is appreciated > {{ }} > {{NAME INSTALLED FIXED-IN TYPE > VULNERABILITY SEVERITY}} > {{jetty-security 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-server 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-servlet 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-util 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-util-ajax 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-webapp 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-xml 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jgroups 3.6.14.Final 4.0.0 > java-archive GHSA-rc7h-x6cq-988q Critical}} > {{shiro-cache 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-config-core 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-config-ogdl 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-core 1.9.0 1.9.1 > java-archive GHSA-4cf5-xmhp-3xj7 Critical}} > {{shiro-core 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-crypto-cipher 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-crypto-core 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-crypto-hash 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-event 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{shiro-lang 1.9.0 > java-archive CVE-2022-32532 Critical}} > {{spring-core 5.3.20 > java-archive CVE-2016-127 Critical}} > {{jetty-http 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} > {{jetty-io 9.4.46.v20220331 > java-archive CVE-2022-2048 High}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (GEODE-10406) Update shiro-core to version 1.9.1 for CVE-2022-32532
Ankush Mittal created GEODE-10406: - Summary: Update shiro-core to version 1.9.1 for CVE-2022-32532 Key: GEODE-10406 URL: https://issues.apache.org/jira/browse/GEODE-10406 Project: Geode Issue Type: Bug Affects Versions: 1.13.7 Reporter: Ankush Mittal As per [https://nvd.nist.gov/vuln/detail/CVE-2022-32532] "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass." Geode bundles version 1.8.0 of shiro-core jar which is vulnerable as per the CVE. -- This message was sent by Atlassian Jira (v8.20.10#820010)