ApacheCXF 3.1.4. Vulnerabilities in ehCache

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ApacheCXF 3.1.4. Vulnerabilities in ehCache

Christoph Weser
Hello,

as this is my first question please forgive me if this is the wrong list
for my question. Any hint towards the right one is appreciated.

We're using Apache 3.1.4 (Yes, I know it's quite old.).
Deploying that the package also contains ehCache 2.10.4.

Customer is now complaining about several vulnerabilities found in ehCache
2.10.4.
As I looked at the newest release of Apache CXF I saw that also in that one
ehCache 2.10.6 is used which still has several known vulnerabilities and so
not even go to the newest release would solve these issues.

As we're using WS security it seems that this reference is needed.

So does anyone see a way getting around of that?

Thanks a lot,
Chris
Reply | Threaded
Open this post in threaded view
|

Re: ApacheCXF 3.1.4. Vulnerabilities in ehCache

coheigea
Administrator
Hi,

What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven
dependency checker isn't detecting any issues.

There is a JIRA for the next WSS4J release to migrate to EhCache 3, once we
pick this up then we can update CXF as well -
https://issues.apache.org/jira/browse/WSS-632

Colm.

On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser
<[hidden email]> wrote:

> Hello,
>
> as this is my first question please forgive me if this is the wrong list
> for my question. Any hint towards the right one is appreciated.
>
> We're using Apache 3.1.4 (Yes, I know it's quite old.).
> Deploying that the package also contains ehCache 2.10.4.
>
> Customer is now complaining about several vulnerabilities found in ehCache
> 2.10.4.
> As I looked at the newest release of Apache CXF I saw that also in that one
> ehCache 2.10.6 is used which still has several known vulnerabilities and so
> not even go to the newest release would solve these issues.
>
> As we're using WS security it seems that this reference is needed.
>
> So does anyone see a way getting around of that?
>
> Thanks a lot,
> Chris
>
Reply | Threaded
Open this post in threaded view
|

Re: ApacheCXF 3.1.4. Vulnerabilities in ehCache

Christoph Weser
Hey Colm,

I know. We're also using OWASP and there are no complains.
Customer is using the quite widely spread Nexus Vulnerability scanner. (you
can download that one, start it local and let analyze files and you'll get
the report via mail.)

For ehCache 2.10.6 it complains about:

CVE-2018-14721
[maven] net.sf.ehcache : ehcache : 2.10.6

CVE-2018-14718
[maven] net.sf.ehcache : ehcache : 2.10.6

CVE-2018-14719
[maven] net.sf.ehcache : ehcache : 2.10.6

CVE-2018-14720
[maven] net.sf.ehcache : ehcache : 2.10.6

SONATYPE-2017-0312
[maven] net.sf.ehcache : ehcache : 2.10.6

CVE-2019-10241
[maven] net.sf.ehcache : ehcache : 2.10.6

CVE-2019-10246
[maven] net.sf.ehcache : ehcache : 2.10.6

CVE-2019-10247
[maven] net.sf.ehcache : ehcache : 2.10.6

Most is about jackson databinding in jetty.
So I'm really not completely sure what to do.

Any way to get around this?

Christoph

Am Fr., 8. Nov. 2019 um 16:02 Uhr schrieb Colm O hEigeartaigh <
[hidden email]>:

> Hi,
>
> What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven
> dependency checker isn't detecting any issues.
>
> There is a JIRA for the next WSS4J release to migrate to EhCache 3, once we
> pick this up then we can update CXF as well -
> https://issues.apache.org/jira/browse/WSS-632
>
> Colm.
>
> On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser
> <[hidden email]> wrote:
>
> > Hello,
> >
> > as this is my first question please forgive me if this is the wrong list
> > for my question. Any hint towards the right one is appreciated.
> >
> > We're using Apache 3.1.4 (Yes, I know it's quite old.).
> > Deploying that the package also contains ehCache 2.10.4.
> >
> > Customer is now complaining about several vulnerabilities found in
> ehCache
> > 2.10.4.
> > As I looked at the newest release of Apache CXF I saw that also in that
> one
> > ehCache 2.10.6 is used which still has several known vulnerabilities and
> so
> > not even go to the newest release would solve these issues.
> >
> > As we're using WS security it seems that this reference is needed.
> >
> > So does anyone see a way getting around of that?
> >
> > Thanks a lot,
> > Chris
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: ApacheCXF 3.1.4. Vulnerabilities in ehCache

coheigea
Administrator
I'm not sure why the scanner is associating Jackson CVEs with EhCache? In
any case, the latest CXF release (3.3.4) uses Jackson 2.9.10.

Colm.

On Mon, Nov 11, 2019 at 7:19 AM Christoph Weser <
[hidden email]> wrote:

> Hey Colm,
>
> I know. We're also using OWASP and there are no complains.
> Customer is using the quite widely spread Nexus Vulnerability scanner.
> (you can download that one, start it local and let analyze files and you'll
> get the report via mail.)
>
> For ehCache 2.10.6 it complains about:
>
> CVE-2018-14721
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> CVE-2018-14718
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> CVE-2018-14719
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> CVE-2018-14720
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> SONATYPE-2017-0312
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> CVE-2019-10241
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> CVE-2019-10246
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> CVE-2019-10247
> [maven] net.sf.ehcache : ehcache : 2.10.6
>
> Most is about jackson databinding in jetty.
> So I'm really not completely sure what to do.
>
> Any way to get around this?
>
> Christoph
>
> Am Fr., 8. Nov. 2019 um 16:02 Uhr schrieb Colm O hEigeartaigh <
> [hidden email]>:
>
>> Hi,
>>
>> What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven
>> dependency checker isn't detecting any issues.
>>
>> There is a JIRA for the next WSS4J release to migrate to EhCache 3, once
>> we
>> pick this up then we can update CXF as well -
>> https://issues.apache.org/jira/browse/WSS-632
>>
>> Colm.
>>
>> On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser
>> <[hidden email]> wrote:
>>
>> > Hello,
>> >
>> > as this is my first question please forgive me if this is the wrong list
>> > for my question. Any hint towards the right one is appreciated.
>> >
>> > We're using Apache 3.1.4 (Yes, I know it's quite old.).
>> > Deploying that the package also contains ehCache 2.10.4.
>> >
>> > Customer is now complaining about several vulnerabilities found in
>> ehCache
>> > 2.10.4.
>> > As I looked at the newest release of Apache CXF I saw that also in that
>> one
>> > ehCache 2.10.6 is used which still has several known vulnerabilities
>> and so
>> > not even go to the newest release would solve these issues.
>> >
>> > As we're using WS security it seems that this reference is needed.
>> >
>> > So does anyone see a way getting around of that?
>> >
>> > Thanks a lot,
>> > Chris
>> >
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: ApacheCXF 3.1.4. Vulnerabilities in ehCache

Christoph Weser
Hi,

well, but the thing is, if I do ONLY check ehCache stand-alone I have the
same result. (And in this case without the rest of the distribution the
scanner cannot reference to any other lib.)

If I should do an educated guess and have a look into the jar file I would
say the scanner finds for example
<jar-file>\rest-management-private-classpath\com\fasterxml\jackson and so
on and complains on that being integrated.
Same goes with jetty.

So anyone an idea what to do?

Chris

Am Mo., 11. Nov. 2019 um 17:32 Uhr schrieb Colm O hEigeartaigh <
[hidden email]>:

> I'm not sure why the scanner is associating Jackson CVEs with EhCache? In
> any case, the latest CXF release (3.3.4) uses Jackson 2.9.10.
>
> Colm.
>
> On Mon, Nov 11, 2019 at 7:19 AM Christoph Weser <
> [hidden email]> wrote:
>
> > Hey Colm,
> >
> > I know. We're also using OWASP and there are no complains.
> > Customer is using the quite widely spread Nexus Vulnerability scanner.
> > (you can download that one, start it local and let analyze files and
> you'll
> > get the report via mail.)
> >
> > For ehCache 2.10.6 it complains about:
> >
> > CVE-2018-14721
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > CVE-2018-14718
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > CVE-2018-14719
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > CVE-2018-14720
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > SONATYPE-2017-0312
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > CVE-2019-10241
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > CVE-2019-10246
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > CVE-2019-10247
> > [maven] net.sf.ehcache : ehcache : 2.10.6
> >
> > Most is about jackson databinding in jetty.
> > So I'm really not completely sure what to do.
> >
> > Any way to get around this?
> >
> > Christoph
> >
> > Am Fr., 8. Nov. 2019 um 16:02 Uhr schrieb Colm O hEigeartaigh <
> > [hidden email]>:
> >
> >> Hi,
> >>
> >> What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven
> >> dependency checker isn't detecting any issues.
> >>
> >> There is a JIRA for the next WSS4J release to migrate to EhCache 3, once
> >> we
> >> pick this up then we can update CXF as well -
> >> https://issues.apache.org/jira/browse/WSS-632
> >>
> >> Colm.
> >>
> >> On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser
> >> <[hidden email]> wrote:
> >>
> >> > Hello,
> >> >
> >> > as this is my first question please forgive me if this is the wrong
> list
> >> > for my question. Any hint towards the right one is appreciated.
> >> >
> >> > We're using Apache 3.1.4 (Yes, I know it's quite old.).
> >> > Deploying that the package also contains ehCache 2.10.4.
> >> >
> >> > Customer is now complaining about several vulnerabilities found in
> >> ehCache
> >> > 2.10.4.
> >> > As I looked at the newest release of Apache CXF I saw that also in
> that
> >> one
> >> > ehCache 2.10.6 is used which still has several known vulnerabilities
> >> and so
> >> > not even go to the newest release would solve these issues.
> >> >
> >> > As we're using WS security it seems that this reference is needed.
> >> >
> >> > So does anyone see a way getting around of that?
> >> >
> >> > Thanks a lot,
> >> > Chris
> >> >
> >>
> >
>