Vulnerabilities in dependencies

[joancafom]

Hi! I have recently downloaded the latest release of Prometheus-Rsocket-Proxy (1.5.1) and analysed it with Trivy (a security and vulnerability scanner). The result shows several vulnerabilities:

# From Maven
$ wget https://repo1.maven.org/maven2/io/micrometer/prometheus/prometheus-rsocket-proxy/1.5.1/prometheus-rsocket-proxy-1.5.1.jar

$ trivy rootfs .

Java (jar)

Total: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 5, HIGH: 1, CRITICAL: 2)

┌─────────────────────────────────────────────────────────┬──────────────────┬──────────┬───────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                         Library                         │  Vulnerability   │ Severity │ Installed Version │         Fixed Version         │                            Title                             │
├─────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-autoconfigure      │ CVE-2023-20883   │ LOW      │ 2.7.11            │ 2.5.15, 2.6.15, 2.7.12, 3.0.7 │ Spring Boot Welcome Page DoS Vulnerability                   │
│ (prometheus-rsocket-proxy-1.5.1.jar)                    │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-20883                   │
├─────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web                          │ CVE-2016-1000027 │ CRITICAL │ 5.3.27            │ 6.0.0                         │ spring: HttpInvokerServiceExporter readRemoteInvocation      │
│ (prometheus-rsocket-proxy-1.5.1.jar)                    │                  │          │                   │                               │ method untrusted java deserialization                        │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2016-1000027                 │
├─────────────────────────────────────────────────────────┼──────────────────┤          ├───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (prometheus-rsocket-proxy-1.5.1.jar) │ CVE-2022-1471    │          │ 1.30              │ 2.0                           │ Constructor Deserialization Remote Code Execution            │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
│                                                         ├──────────────────┼──────────┤                   ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                         │ CVE-2022-25857   │ HIGH     │                   │ 1.31                          │ Denial of Service due to missing nested depth limitation for │
│                                                         │                  │          │                   │                               │ collections                                                  │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-25857                   │
│                                                         ├──────────────────┼──────────┤                   │                               ├──────────────────────────────────────────────────────────────┤
│                                                         │ CVE-2022-38749   │ MEDIUM   │                   │                               │ Uncaught exception in                                        │
│                                                         │                  │          │                   │                               │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode     │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-38749                   │
│                                                         ├──────────────────┤          │                   │                               ├──────────────────────────────────────────────────────────────┤
│                                                         │ CVE-2022-38750   │          │                   │                               │ Uncaught exception in                                        │
│                                                         │                  │          │                   │                               │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│                                                         │                  │          │                   │                               │ ect                                                          │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-38750                   │
│                                                         ├──────────────────┤          │                   │                               ├──────────────────────────────────────────────────────────────┤
│                                                         │ CVE-2022-38751   │          │                   │                               │ Uncaught exception in                                        │
│                                                         │                  │          │                   │                               │ java.base/java.util.regex.Pattern$Ques.match                 │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-38751                   │
│                                                         ├──────────────────┤          │                   ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                         │ CVE-2022-38752   │          │                   │ 1.32                          │ Uncaught exception in java.base/java.util.ArrayList.hashCode │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-38752                   │
│                                                         ├──────────────────┤          │                   │                               ├──────────────────────────────────────────────────────────────┤
│                                                         │ CVE-2022-41854   │          │                   │                               │ DoS via stack overflow                                       │
│                                                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-41854                   │
└─────────────────────────────────────────────────────────┴──────────────────┴──────────┴───────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────┘

Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them? If so, are you planning to address these vulnerabilities in an upcoming release?

Thanks in advance!

[shakuzen]

On the welcome page CVE, this project does not use WebMVC (it uses Webflux) or the Spring Boot welcome page support.

On the spring-web CVE, we are not using HTTP invoker. See spring-projects/spring-framework#24434 for more details.

There is no direct usage of SnakeYAML in prometheus-rsocket-proxy code, so the usage is only what Spring Boot supports. I will defer to their answer on this as captured in comments in spring-projects/spring-boot#33457. To summarize, SnakeYAML is only being used by Spring Boot in prometheus-rsocket-proxy to load application.yml files, which should not be an untrusted source. I think that generally mitigates all of the SnakeYAML CVEs.

I do wish security scanners were better at detecting vulnerability beyond a simple check whether an artifact is present or not.

Let me know if the above does not address all of the concerns.

[joancafom]

Hi again!

Thank you for your prompt reply :)

I do wish security scanners were better at detecting vulnerability beyond a simple check whether an artifact is present or not.

We share the same feeling... but unfortunately, at the moment, one still needs to assess this with developers.

Let me know if the above does not address all of the concerns.

Yes, that was neat! Thanks again 😁

[FraPazGal]

Apologies if this should be on a new issue altogether but seeing as it relates to new CVEs affecting [email protected] it could be good to have everything in one place. I recently run a new vulnerability scan on the proxy and it returned some new cves for which I couldn't find any impact assessment from you devs:

┌─────────────────────────────────────────────────────────────┬──────────────────┬──────────┬───────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                           │  Vulnerability   │ Severity │ Installed Version │         Fixed Version         │                            Title                             │
├─────────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.netty:netty-handler (prometheus-rsocket-proxy-1.5.1.jar) │ CVE-2023-34462   │ MEDIUM   │ 4.1.91.Final      │ 4.1.94.Final                  │ Netty is an asynchronous event-driven network application    │
│                                                             │                  │          │                   │                               │ framework fo ...                                             │
│                                                             │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-34462                   │
├─────────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.xerial.snappy:snappy-java                               │ CVE-2023-34455   │ HIGH     │ 1.1.9.1           │ 1.1.10.1                      │ snappy-java's unchecked chunk length leads to DoS            │
│ (prometheus-rsocket-proxy-1.5.1.jar)                        │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-34455                   │
│                                                             ├──────────────────┼──────────┤                   │                               ├──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2023-34453   │ MEDIUM   │                   │                               │ snappy-java's Integer Overflow vulnerability in shuffle      │
│                                                             │                  │          │                   │                               │ leads to DoS                                                 │
│                                                             │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-34453                   │
│                                                             ├──────────────────┤          │                   │                               ├──────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2023-34454   │          │                   │                               │ snappy-java's Integer Overflow vulnerability in compress     │
│                                                             │                  │          │                   │                               │ leads to DoS                                                 │
│                                                             │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-34454                   │
└─────────────────────────────────────────────────────────────┴──────────────────┴──────────┴───────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────┘

@jonatan-ivanov Could you confirm if the proxy is affected by these vulns and share any update plans to address them if necessary?

Thanks in advance!

[corneil]

@jonatan-ivanov I notice that snappy-java 1.1.10.1 fixes the CVEs

[ifindlay-cci]

@FraPazGal this is a closed issue, should this either be re-opened or a new issue created for those CVEs?

[jonatan-ivanov]

@FraPazGal Thanks for the heads-up! We are already using the fixed versions on main so we "only" need to release rsocket proxy, I'm going to do it soon.

it could be good to have everything in one place

I don't think this is a good idea: The previous report did not need any actions (the issue is still invalid) so we closed the issue. This is clearly a new one and it does need actions (and the opened issue would be valid). What should we do when we fix this? Close this unrelated issue again? :) What should we do with the invalid label? How will you track if there will be another issue and a next one? This will turn into something chaotic quickly. We prefer opening a new issue for new things and not handle everything in one gigantic issue.

Also, if you open a new issue, it will ask you to read the security policy.

I recently run a new vulnerability scan on the proxy and it returned some new cves for which I couldn't find any impact assessment from you devs

I'm not sure I get this, what kind of impact assessment are you looking for?

Could you confirm if the proxy is affected by these vulns and share any update plans to address them if necessary?

I can confirm that these versions of these dependencies are in the proxy but exploitability is a different question I think since for that an attacker need to hijack the connection and inject their own payload or the user need to connect to untrusted sources.

@corneil Yepp, we are using it on main, we need to release it.

[jonatan-ivanov]

fyi: 1.5.2 is out with the upgraded dependencies.