fabric-chaincode-shim vulnerabilities

[benjsmi]

Name	Found in Code	CVEs	Due Date	Status
bcprov-jdk15on-1.62.jar	https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L46	https://nvd.nist.gov/vuln/detail/CVE-2019-17359, https://nvd.nist.gov/vuln/detail/CVE-2020-26939, https://nvd.nist.gov/vuln/detail/CVE-2023-33201, https://nvd.nist.gov/vuln/detail/CVE-2020-15522	Aug 21, 2023	Addressed by #310 ✅
json-20220320.jar	Transitive dependency from fabric-chaincode-shim, which is imported here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/build.gradle#L4, and then json-20220320.jar is imported here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L49	https://nvd.nist.gov/vuln/detail/CVE-2022-45688	Aug 21, 2023	Addressed by #310 ✅
guava-26.0-android.jar, guava-31.0.1-jre.jar	Transitive dependency, in fabric-chaincode-integration-test (https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/build.gradle#L4) this time the dependency is on fabric-chaincode-shim: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L44C5-L44C5. Shim is dependent on org.hyperledger.fabric.fabric-protos v0.2.0, which is dependent on a vulnerable version of Guava: https://central.sonatype.com/artifact/org.hyperledger.fabric/fabric-protos/0.2.0/overview.	https://nvd.nist.gov/vuln/detail/CVE-2023-2976, https://nvd.nist.gov/vuln/detail/CVE-2020-8908	Oct 10, 2023	Fixed in user-facing code in #314; examples still point to old shim
json-20180813.jar	Direct dependency here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/build.gradle#L4	https://nvd.nist.gov/vuln/detail/CVE-2022-45688	Aug 21, 2023	Fixed in https://github.com/hyperledger/fabric-chaincode-java/pull/314/files ✅
protobuf-java-3.20.1.jar	Direct dependency here: fabric-chaincode-java/fabric-chaincode-shim/build.gradle Line 50 in 40126d0 implementation group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.20.1' , but ALSO, fabric-chaincode-java/fabric-chaincode-shim/build.gradle Line 61 in 40126d0 implementation "io.opentelemetry:opentelemetry-proto:1.6.0-alpha" includes io.opentelemetry:opentelemetry-protoat 1.6.0-alpha, which includes protobuf-java at 3.20.1 as shown here: https://mvnrepository.com/artifact/io.opentelemetry/opentelemetry-proto/1.6.0-alpha. and ALSO, shim includes grpc-protobuf at v1.46, as seen here fabric-chaincode-java/fabric-chaincode-shim/build.gradle Line 55 in 40126d0 implementation 'io.grpc:grpc-protobuf:1.46.0' which includes protobuf-java at v3.20.1 as shown here: https://mvnrepository.com/artifact/io.grpc/grpc-protobuf/1.46.0, and also includes fabric-protos at v0.2.0 as shown here: fabric-chaincode-java/fabric-chaincode-shim/build.gradle Line 44 in 40126d0 implementation group: 'org.hyperledger.fabric', name:'fabric-protos', version:'0.2.0' and fabric-protos at v0.2.0 includes protobuf-java at v3.20.1 as shown here: https://mvnrepository.com/artifact/org.hyperledger.fabric/fabric-protos/0.2.0 ... AND ALSO I also see a link from fabric-chaincode-java in several examples that go to fabric-protos v0.1.3, which includes protobuf-java at v3.19.4 -- example fabric-chaincode-java/examples/fabric-contract-example-maven/pom.xml Line 50 in 3b5b2cb <artifactId>fabric-protos</artifactId> and second example fabric-chaincode-java/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml Line 54 in 3b5b2cb <artifactId>fabric-protos</artifactId> and also fabric-chaincode-java/fabric-chaincode-integration-test/src/contracts/wrapper-maven/pom.xml Line 54 in 3b5b2cb <artifactId>fabric-protos</artifactId>	https://nvd.nist.gov/vuln/detail/CVE-2022-3509, https://nvd.nist.gov/vuln/detail/CVE-2022-3510, https://nvd.nist.gov/vuln/detail/CVE-2022-3171	Oct 20, 2023	#310 definitely helps. Moved the direct dependency to v3.19.6, which is not vulnerable. It also moved io.grpc.grpc-protobuf to v1.45.4, which uses protobuf-java v3.19.6. However, this change does not address the dependency on io.opentelemetry:opentelemetry-protoat 1.6.0-alpha, or the dependency on fabric-protos at v0.2.0.

[benjsmi]

OK; I got a lot more precise in the above description. Two of these items have been addressed by the last PR, but two remain.

[benjsmi]

Still a couple of examples that are hard-coded to reference fabric-chaincode-shim v2.5.0:

• https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-gradle/build.gradle#L23
• https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-gradle-kotlin/build.gradle.kts#L22.
• https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-as-service/build.gradle#L23 -- it doesn't force it, but I would recommend requiring v2.5.1+ so that users are more likely to get secure versions.

[benjsmi]

Do we want to force and/or hard-code fabric-chaincode-java to v2.5.0 in this example? https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-maven/pom.xml#L15

Probably also a good idea to update the fabric-protos version from v0.1.3 to something in the v0.2.x range. https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-maven/pom.xml#L51

[benjsmi]

Also another example here of an old JSON version being referenced: https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-maven/pom.xml#L98-L103

[bestbeforetoday]

I think all outstanding vulnerabilities in dependencies of fabric-chaincoide-shim have now been resolved.