7 Replies Latest reply on Sep 26, 2017 9:54 AM by shawkins

    Help with Vulnerabilities in Teiid 9.0.1

    durgadatta

      We are using Teiid 9.0.1 in our project(Application Management Project - product) to query one of  the databases .

       

      We have ran a securability scan and found the below two vulnerabilities reported with respect to two jars Teiid uses internally.

       

      The jars are part of connector-ws.

       

      CVE-2013-6429 - spring-asm-3.1.4.RELEASE.jar

      CVE-2014-3577 - httpasyncclient-4.0.1.jar

       

      Wanted to check if you have any plans of fixing these vulnerabilities in your latest version of Teiid or do you have any workaround for the same.

      We have a high priority customer waiting for a fix for these vulnerabilities. Appreciate any help here.

        • 1. Re: Help with Vulnerabilities in Teiid 9.0.1
          shawkins

          > Wanted to check if you have any plans of fixing these vulnerabilities in your latest version of Teiid or do you have any workaround for the same.

           

          CVE-2013-6429 - spring-asm-3.1.4.RELEASE.jar - I don't see how this jar applies to the CVE.  Can you provide a link of how the asm jar is related?

          CVE-2014-3577 - httpasyncclient-4.0.1.jar - that jar is part of the WildFly cxf distribution.  Note that any security issues in WildFly/EAP are addressed with the supported EAP release.  In this case you should to a later Teiid community version as 9.1+ rely on later WildFly which use an updated CXF.

           

           

           

          • 2. Re: Help with Vulnerabilities in Teiid 9.0.1
            durgadatta

            Hi Thank for you the quick response.

             

              spring-asm-3.1.4.RELEASE.jar  - will get back to you on this.

            CVE-2014-3577 - httpasyncclient-4.0.1.jar - we will look at what changed from 9.0.1 to 9.1.X  and see if we can upgrade to 9.1.x without breaking the existing code.

             

            Thanks,

            Mahathi

            • 3. Re: Help with Vulnerabilities in Teiid 9.0.1
              durgadatta

              Hi Steven,

               

              These are the vulnerabilities reported

               

              MEDIUM CVE-2013-4152, CVE-2013-6429, CVE-2013-7315, CVE-2014-0054, CVE-2014-3578, CVE-2014-3625 & CVE-2014-1904:  I found this file spring-asm-3.1.4.RELEASE.jar as a dependency of org.jboss.teiid.connectors (Web Service Adapter of JBoss Teiid) so these vulnerabilities are introduced.

               

              MEDIUM CVE-2015-3192: Similarly to above medium vulnerabilities I found spring-aop-3.2.12.RELEASE.jar as the dependency of org.jboss.teiid.connectors. Y

               

              I would appreciate your help here.

               

              Thanks

              • 4. Re: Help with Vulnerabilities in Teiid 9.0.1
                shawkins

                > I would appreciate your help here.

                 

                Unless I'm missing something it appears that you are counting any transitive dependency in spring as part of the CVE.  I don't see where the asm or the aop jar directly listed in the CVEs - nor would they as they CVEs are mostly related to web/xml attacks.  Note the context that the ws connector uses spring is limited to only to the CXF configuration, not the spring MVC framework.

                • 5. Re: Help with Vulnerabilities in Teiid 9.0.1
                  durgadatta

                  ok. got your point. Thank you. The scans the customer is using reports all 3rd party libraries on the system and that's how all these were reported.

                  httpasyncclient-4.0.1.jar - CVE-2014-3577

                  spring-aop-3.2.12.RELEASE.jar - CVE-2015-5211, CVE-2015-3192,CVE-2016-5007,CVE-2016-9878

                  spring-asm-3.1.4.RELEASE.jar

                  spring-tx-3.2.16.RELEASE.jar -  CVE-2016-5007, CVE-2016-9878

                   

                  Planning to make the following changes in our project. Please let us know what you think?

                   

                  spring-aop , spring-tx to 3.2.16 - upgrade to version 3.2.16.

                  spring -asm - The latest version is 3.1.4. Is it ok to exclude this dependency(if all the tests pass) in pom.xml ? what do you suggest?

                  httpasyncclient-4.0.1.jar -  upgrade to 4.0.2 as mentioned in the details of the link https://nvd.nist.gov/vuln/detail/CVE-2014-3577

                  spring-tx-3.2.16.RELEASE.jar - upgrade to 3.2.18 as per https://nvd.nist.gov/vuln/detail/CVE-2016-9878

                   

                  • 6. Re: Help with Vulnerabilities in Teiid 9.0.1
                    durgadatta

                    What i have basically done is :

                     

                    excluded the transitive dependency and introduced the same library(later version) without the security vulnerability.

                    Is that fine ?

                    • 7. Re: Help with Vulnerabilities in Teiid 9.0.1
                      shawkins

                      > excluded the transitive dependency and introduced the same library(later version) without the security vulnerability.

                      > Is that fine ?

                       

                      I just want to qualify that the jars Teiid pulls into the kit, such as asm and aop especially the context they are used in, do not seem to be affected by security vulnerabilities.

                       

                      As for the other spring or cxf issues in the WildFly kit, the first preference would be to upgrade to a later Teiid to pick up a later WildFly.

                       

                      But if you need to stick with 9.0.1 specifically and create a patched build, you can certainly make the changes you are proposing and it will likely be fine.

                       

                      > spring -asm - The latest version is 3.1.4. Is it ok to exclude this dependency(if all the tests pass) in pom.xml ? what do you suggest?

                       

                      That should reflect that the specific jar is not subject to a CVE.  However if you need to get rid of it that would likely prevent the usage of cxf configuration files with the ws connector.  If that's ok with your usage, then that's fine.