-
1. Re: Help with Vulnerabilities in Teiid 9.0.1
shawkins Sep 21, 2017 8:13 AM (in response to durgadatta)> Wanted to check if you have any plans of fixing these vulnerabilities in your latest version of Teiid or do you have any workaround for the same.
CVE-2013-6429 - spring-asm-3.1.4.RELEASE.jar - I don't see how this jar applies to the CVE. Can you provide a link of how the asm jar is related?
CVE-2014-3577 - httpasyncclient-4.0.1.jar - that jar is part of the WildFly cxf distribution. Note that any security issues in WildFly/EAP are addressed with the supported EAP release. In this case you should to a later Teiid community version as 9.1+ rely on later WildFly which use an updated CXF.
-
2. Re: Help with Vulnerabilities in Teiid 9.0.1
durgadatta Sep 21, 2017 8:47 AM (in response to shawkins)Hi Thank for you the quick response.
spring-asm-3.1.4.RELEASE.jar - will get back to you on this.
CVE-2014-3577 - httpasyncclient-4.0.1.jar - we will look at what changed from 9.0.1 to 9.1.X and see if we can upgrade to 9.1.x without breaking the existing code.
Thanks,
Mahathi
-
3. Re: Help with Vulnerabilities in Teiid 9.0.1
durgadatta Sep 22, 2017 1:46 AM (in response to durgadatta)Hi Steven,
These are the vulnerabilities reported
MEDIUM CVE-2013-4152, CVE-2013-6429, CVE-2013-7315, CVE-2014-0054, CVE-2014-3578, CVE-2014-3625 & CVE-2014-1904: I found this file spring-asm-3.1.4.RELEASE.jar as a dependency of org.jboss.teiid.connectors (Web Service Adapter of JBoss Teiid) so these vulnerabilities are introduced.
MEDIUM CVE-2015-3192: Similarly to above medium vulnerabilities I found spring-aop-3.2.12.RELEASE.jar as the dependency of org.jboss.teiid.connectors. Y
I would appreciate your help here.
Thanks
-
4. Re: Help with Vulnerabilities in Teiid 9.0.1
shawkins Sep 22, 2017 7:54 AM (in response to durgadatta)> I would appreciate your help here.
Unless I'm missing something it appears that you are counting any transitive dependency in spring as part of the CVE. I don't see where the asm or the aop jar directly listed in the CVEs - nor would they as they CVEs are mostly related to web/xml attacks. Note the context that the ws connector uses spring is limited to only to the CXF configuration, not the spring MVC framework.
-
5. Re: Help with Vulnerabilities in Teiid 9.0.1
durgadatta Sep 26, 2017 9:17 AM (in response to durgadatta)ok. got your point. Thank you. The scans the customer is using reports all 3rd party libraries on the system and that's how all these were reported.
httpasyncclient-4.0.1.jar - CVE-2014-3577
spring-aop-3.2.12.RELEASE.jar - CVE-2015-5211, CVE-2015-3192,CVE-2016-5007,CVE-2016-9878
spring-asm-3.1.4.RELEASE.jar
spring-tx-3.2.16.RELEASE.jar - CVE-2016-5007, CVE-2016-9878
Planning to make the following changes in our project. Please let us know what you think?
spring-aop , spring-tx to 3.2.16 - upgrade to version 3.2.16.
spring -asm - The latest version is 3.1.4. Is it ok to exclude this dependency(if all the tests pass) in pom.xml ? what do you suggest?
httpasyncclient-4.0.1.jar - upgrade to 4.0.2 as mentioned in the details of the link https://nvd.nist.gov/vuln/detail/CVE-2014-3577
spring-tx-3.2.16.RELEASE.jar - upgrade to 3.2.18 as per https://nvd.nist.gov/vuln/detail/CVE-2016-9878
-
6. Re: Help with Vulnerabilities in Teiid 9.0.1
durgadatta Sep 26, 2017 9:35 AM (in response to durgadatta)What i have basically done is :
excluded the transitive dependency and introduced the same library(later version) without the security vulnerability.
Is that fine ?
-
7. Re: Help with Vulnerabilities in Teiid 9.0.1
shawkins Sep 26, 2017 9:54 AM (in response to durgadatta)> excluded the transitive dependency and introduced the same library(later version) without the security vulnerability.
> Is that fine ?
I just want to qualify that the jars Teiid pulls into the kit, such as asm and aop especially the context they are used in, do not seem to be affected by security vulnerabilities.
As for the other spring or cxf issues in the WildFly kit, the first preference would be to upgrade to a later Teiid to pick up a later WildFly.
But if you need to stick with 9.0.1 specifically and create a patched build, you can certainly make the changes you are proposing and it will likely be fine.
> spring -asm - The latest version is 3.1.4. Is it ok to exclude this dependency(if all the tests pass) in pom.xml ? what do you suggest?
That should reflect that the specific jar is not subject to a CVE. However if you need to get rid of it that would likely prevent the usage of cxf configuration files with the ws connector. If that's ok with your usage, then that's fine.