Home
Список уязвимостей
Мы осведомлены о существующих уязвимостях в компонентах и библиотеках, используемых в рамках платформы Entaxy ION. Нашей командой выработаны конкретные меры по устранению этих уязвимостей, и в ближайшее время планируется сосредоточить усилия на их решении.
| CVE | Уровень критичности | Затронутые компоненты | Описание | Планируемые способы решения |
|---|---|---|---|---|
CVE-2020-10683 |
Critical |
dom4j 1.6.1 |
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. |
Запретить DTD, перетащить фикс https://github.com/dom4j/dom4j/commit/ a8228522a99a02146106672a34c104adbda5c658 |
CVE-2022-46364 |
Critical |
cxf-core 3.3.6 |
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. |
Попробовать смигрировать на 3.5.6 |
CVE-2019-17638 |
Critical |
jetty-server 9.4.27.v20200227 |
"In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize). Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-17638 for details" |
12KB responseHeaderSize and 8KB requestHeaderSize в Jetty |
CVE-2022-36437 |
Critical |
hazelcast 3.12.8 |
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. |
Попробовать переехать на 3.12.13 |
CVE-2022-22965 |
Critical |
spring-beans 5.2.9.RELEASE |
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. |
Запускаемся на Jetty |
CVE-2022-45047 |
Critical |
sshd-core 1.7.0 Class |
org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD ⇐ 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. |
"Этот класс не используется в Apache Karaf: (base) AF-MacBook-Pro:karaf fav$ grep -rnw 'SimpleGeneratorHostKeyProvider' . ./shell/ssh/src/test/java/org/apache/karaf/shell/ssh/keygenerator/ OpenSSHGeneratorKeyFileProviderTest.java:32: import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider; ./shell/ssh/src/test/java/org/apache/karaf/shell/ssh/keygenerator/ OpenSSHGeneratorKeyFileProviderTest.java:64: SimpleGeneratorHostKeyProvider simpleGenerator = new SimpleGeneratorHostKeyProvider(privateKeyTemp);" |
CVE-2022-0839 |
Critical |
liquibase-core 3.6.3 |
Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. |
В коде Entaxy класс XMLChangeLogSAXParser не используется |
CVE-2022-1471 |
Critical |
snakeyaml 1.26 |
SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml’s Safe Constructor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. |
Использование на UI |
CVE-2022-40145 |
Critical |
org.apache.karaf.jaas.modules 4.2.9 |
"This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-40145 for details" |
Использования в нашем коде метода doCreateDatasource не нашёл. Проверить СВ!!! |
CVE-2022-25647 |
High |
gson 2.8.5 |
"gson - Deserialization of Untrusted Data [CVE-2022-25647] The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-25647 for details" |
Попробовать перейти на 2.8.9 |
CVE-2020-25638 |
High |
hibernate-core 5.2.17.Final |
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. |
"Mitigation: Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters." |
CVE-2018-1000632 |
High |
dom4j 1.6.1 |
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. |
Перетащить коммит к нам - https://github.com/dom4j/dom4j/commit/ e598eb43d418744c4dbf62f647dd2381c9ce9387 или переехать на 2.1.1 |
CVE-2022-46363 |
High |
cxf-rt-transports-http 3.3.6 |
"A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-46363 for details" |
строка 2 |
CVE-2022-40152 |
High |
woodstox-core 5.0.3 |
"Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-40152 for details" |
Проверить нужна ли нам поддержка DTD, если нет - отключить или перетащить фикс к нам - https://github.com/FasterXML/woodstox/pull/159/files |
CVE-2021-28165 |
High |
jetty-io 9.4.27.v20200227 |
"In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-28165 for details" |
Попробовать поменять версию Jetty на 9.4.39+ - https://github.com/jetty/jetty.project/releases?page=8 или применить фикс https://github.com/jetty/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w |
CVE-2023-33265 |
High |
hazelcast 3.12.8 |
In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don’t check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. |
см. строку 4 |
CVE-2022-25857 |
High |
snakeyaml 1.26 |
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. |
см. строку 8 |
CVE-2023-6378 |
High |
logback-classic 1.2.3 |
"A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data." |
Не нашёл, где используется |
CVE-2023-6378 |
High |
logback-core 1.2.3 |
"A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data." |
строка 18 |
CVE-2022-42003 |
High |
jackson-databind 2.10.5.1 |
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. |
UNWRAP_SINGLE_VALUE_ARRAYS - проверить эту настройку, перетащить к нам фикс - https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 |
CVE-2022-42004 |
High |
jackson-databind 2.10.5.1 |
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. |
Проверить BeanDeserializer._deserializeFromArray, Перетащить коммит к нам - https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88 |
CVE-2020-36518 |
High |
jackson-databind 2.10.5.1 |
"jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-36518 for details" |
Перетащить к нам фикс - https://github.com/FasterXML/jackson-databind/compare/2.17…akatona84:jackson-databind:backport-CVE-2020-36518-to-2.10.5.x |
CVE-2021-46877 |
High |
jackson-databind 2.10.5.1 |
"jackson-databind - Denial of Service (DoS) The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended." |
Перетащить к нам фикс - https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb |
CVE-2023-2976 |
High |
Guava 20.0 |
"Use of Java’s default temporary directory for file creation in Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. " |
Проверить использование temp папки и FileBackedOutputStream, перетащить фикс - https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284 |
CVE-2023-2976 |
High |
Guava 19.0 |
"Use of Java’s default temporary directory for file creation in Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. " |
Проверить использование temp папки и FileBackedOutputStream, перетащить фикс - https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284 |
CVE-2021-37136 |
High |
netty-codec 4.1.48.Final |
The Bzip2 decompression decoder function doesn’t allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack |
Bzip2 не используется |
CVE-2021-37137 |
High |
netty-codec 4.1.48.Final |
The Snappy frame decoder function doesn’t restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. |
Перенести фикс - https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f |
CVE-2022-23913 |
High |
artemis-core-client 2.19.0 |
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. |
Попробовать 2.19.2+ |
CVE-2020-36518 |
High |
jackson-databind 2.9.10.8 |
"jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-36518 for details" |
строка 22 |
CVE-2022-42003 |
High |
jackson-databind 2.9.10.8 |
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. |
строка 20 |
CVE-2022-42004 |
High |
jackson-databind 2.9.10.8 |
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. |
строка 21 |
CVE-2020-36518 |
High |
jackson-databind 2.11.2 |
"jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-36518 for details" |
строка 22 |
CVE-2022-42003 |
High |
jackson-databind 2.11.2 |
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. |
строка 20 |
CVE-2022-42004 |
High |
jackson-databind 2.11.2 |
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. |
строка 21 |
CVE-2021-46877 |
High |
jackson-databind 2.11.2 |
"jackson-databind - Denial of Service (DoS) The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended." |
строка 23 |
CVE-2021-33813 |
High |
jdom2 2.0.6 |
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. |
Применить фикс - https://github.com/hunterhacker/jdom/pull/188/files |
CVE-2022-40152 |
High |
woodstox-core 6.2.3 |
"Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. Sonatype’s research suggests that this CVE’s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-40152 for details" |
строка 14 |
CVE-2021-41766 |
Critical |
Apache Karaf 4.2.9 |
Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder). Versions before (<) 4.3.6 |
Применить фикс - https://github.com/apache/karaf/pull/1475/files |