7 Replies Latest reply on Oct 14, 2016 4:21 AM by Durgadatta Sahu

    security vulnerabilities in TEIID embedded 9.0.1

    Durgadatta Sahu Newbie

      Hi,

       

      I am using Teiid-embedded-9.0.1 ,  found security vulnerabilities  in some  third party api which is used in TEIID as bellow,

       

      xalan-2.7.0.jar -  vulnerable id-  CVE-2014-0107

       

      httpclient-4.3.2.jar , vulnerable id- CVE-2014-3577

       

      and in Spring Framework 3.2.12 .

       

      We want to fix these vulnerabilities by upgrading the jars to latest versions. Is there a way to fix this?

       

      We are in a critical situation and any help on this is really appreciated.

       

      Thanks,

      Durga

       

       

       

       

        • 1. Re: security vulnerabilities in TEIID embedded 9.0.1
          Ramesh Reddy Master

          You start by adding a JIRA, then you can work on it and submit a patch we will evaluate it and accept the changes. Since 9.0.1 is already been there for little while, they may have to included with 9.1 (being released THIS week).

           

          Ramesh..

          • 2. Re: security vulnerabilities in TEIID embedded 9.0.1
            Steven Hawkins Master

            These are transitive dependencies that typically have managed overrides from wildfly.  For example xalan usage in 9.0.1 should resolve to version 2.7.1.jbossorg-1 instead.  Can you share the details of your pom that is pulling in the undesirable dependencies?

            • 3. Re: security vulnerabilities in TEIID embedded 9.0.1
              Durgadatta Sahu Newbie

              Hi Steven,

               

              I have attached the pom.xml that I used for teiid pulgin, PFA  .

               

              In teiid pom its using XOM and the XOM internally using the xalan 2.7.0,

              I have added the exlusion in our pom for xalan .

              But for other i.e httpclient-4.3.2.jar and Spring Framework 3.2.12  , the vulnerabilities fixed  in  their latest version  (to httpclient-4.5.2 and httpcore-4.4.4  and spring -3.2.16

               

               

              Thanks,

              Durga

              • 4. Re: security vulnerabilities in TEIID embedded 9.0.1
                Durgadatta Sahu Newbie

                Just for quick solution I was trying to override the dependencies in my pom.xml for Spring and http client , and I am able to build it with latest version of dependencies .   do you think it will have any hidden problem  ?

                 

                I added follwing dependencies in my pom.xml to override

                 

                <dependency>

                    <groupId>org.apache.httpcomponents</groupId>

                    <artifactId>httpcore</artifactId>

                    <version>4.4.4</version>

                    </dependency>

                    <dependency>

                  <groupId>org.apache.httpcomponents</groupId>

                  <artifactId>httpclient</artifactId>

                  <version>4.5.2</version>

                  </dependency>

                  <dependency>

                    <groupId>org.springframework</groupId>

                    <artifactId>spring-core</artifactId>

                    <version>3.2.16.RELEASE</version>   

                  </dependency>

                  <dependency>

                    <groupId>org.springframework</groupId>

                    <artifactId>spring-beans</artifactId>

                    <version>3.2.16.RELEASE</version>

                    </dependency>

                    <dependency>

                    <groupId>org.springframework</groupId>

                    <artifactId>spring-context</artifactId>

                    <version>3.2.16.RELEASE</version>

                    </dependency>

                    <dependency>

                    <groupId>org.springframework</groupId>

                    <artifactId>spring-expression</artifactId>

                    <version>3.2.16.RELEASE</version>

                    </dependency>

                    <dependency>

                    <groupId>org.springframework</groupId>

                    <artifactId>spring-tx</artifactId>

                    <version>3.2.16.RELEASE</version>

                    </dependency>

                 

                 

                 

                Thanks,

                Durga

                • 5. Re: security vulnerabilities in TEIID embedded 9.0.1
                  Ramesh Reddy Master

                  All these resources are used typically used with either "webservices" translator or Salesforce translator. So if you want to make the functionality then report back that would be fine. The httpclient ones are used only in Salesforce, and Spring is used in both and has very limited role, so there should not be much of an issue with that.

                  • 6. Re: security vulnerabilities in TEIID embedded 9.0.1
                    Steven Hawkins Master

                    In your pom you can use the same managed dependencies as the container by including the following in dependencyManagement:

                     

                                 <dependency>
                                    <groupId>org.wildfly.core</groupId>
                                    <artifactId>wildfly-core-parent</artifactId>
                                    <type>pom</type>
                                    <version>${version.org.wildfly.core}</version>
                                    <scope>import</scope>
                                </dependency>
                                <dependency>
                                    <groupId>org.wildfly</groupId>
                                    <artifactId>wildfly-parent</artifactId>
                                    <type>pom</type>
                                    <version>${version.org.wildfly}</version>
                                    <scope>import</scope>              
                                </dependency>
                    

                     

                    For 9.0.1, you would use the versions:

                     

                         <version.org.wildfly>9.0.2.Final</version.org.wildfly>
                         <version.org.wildfly.core>1.0.1.Final</version.org.wildfly.core>
                    

                     

                    Of course as Ramesh suggests you can selectively override as well.  But I think we need to promote the usage of the WildFly dependencies out of the box, can you open an issue for this?

                    • 7. Re: security vulnerabilities in TEIID embedded 9.0.1
                      Durgadatta Sahu Newbie

                      Thanks Ramesh and Steven,

                      I have opened issue for this (TEIID-4514)

                       

                      Thanks,

                      Durga