You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by Mike Drob <md...@apache.org> on 2022/10/10 15:19:30 UTC

[jxpath] reported CVE and path forward

Howdy folks,

I recently saw that there was a reported CVE[1] for Apache JXPath that became public due to no response to the reporter over 90 days. I am uncertain if the reporter had tried reaching out to the appropriate security lists before-hand and was ignored, or failed to follow our established procedures. Regardless, the issue is now public.

I have not personally verified the vulnerability, nor assessed the impact. NIST thinks it is a Big Deal, though, scoring it 9.8/10 [2]

It is hard to assess impact since the project does not publish artifacts to maven central, but I'm also taking that as an indicator of low adoption at this point in time. Further, the project has not had a release since 2015. There has been very limited mailing list activity, and the last 5 years of commits have only been typo/comment fixes.

If there is no community around it, is there a path to retirement? What are the next steps?

Thanks,
Mike

[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
[2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: [jxpath] reported CVE and path forward

Posted by Bruno Kinoshita <ki...@apache.org>.

Hi,

I commented in another thread about oss-fuzz and new components, maybe that
could be part of the issue here.

See that thread in the archives, or TL;DR: someone is adding more Commons
Components to oss-fuzz, directly as components instead of using the shared
apache-commons project. This latter project in oss-fuzz has a custom policy
for reporting issues that is aligned with the ASF process. No idea what is
the policy of these new oss-fuzz components, who created them, nor if
anyone in ASF is being notified (I monitor the project-commons issues,
especially those for imaging).

https://github.com/google/oss-fuzz/tree/master/projects/ (see
apache-commons)

I **think** the only people being notified of issues are those in the
project.yaml file, e.g.
https://github.com/google/oss-fuzz/blob/master/projects/apache-commons-jxpath/project.yaml

It looks like whoever set up that project in oss-fuzz decided to send
notifications only to @code-intelligence emails, which is not very
practical.

-Bruno

On Tue, 11 Oct 2022 at 04:40, Mark Thomas <ma...@apache.org> wrote:

> Hmm.
>
> There are various red flags here that suggest to me that this issue is
> likely not valid.
>
> 1. The source is oss-fuzz. I have been dealing with oss-fuzz issues for
> Apache Tomcat and so far out of the 30+ issues raised (the majority
> marked as security relevant) not one of the issues was a vulnerability.
>
> 2. The CNA is Google. Google is not authorised to issue CVEs for ASF
> projects accept in strictly limited circumstances that do not apply here.
>
> 3. There is no record of CVE-2022-41852 on *ANY* ASF security list.
>
> The next steps are:
>
> - Identify the current JXPath maintainers (or some volunteers to clean
>    up this mess)
>
> - Gain access to the details of the reports
>
> - Assess the reports
>
> - Invalidate / update the CVEs as required
>
> I don't see meaningful commits to the repo after 2015 so I suspect we'll
> be looking for volunteers.
>
> Mark
>
>
>
> On 10/10/2022 16:19, Mike Drob wrote:
> > Howdy folks,
> >
> > I recently saw that there was a reported CVE[1] for Apache JXPath that
> became public due to no response to the reporter over 90 days. I am
> uncertain if the reporter had tried reaching out to the appropriate
> security lists before-hand and was ignored, or failed to follow our
> established procedures. Regardless, the issue is now public.
> >
> > I have not personally verified the vulnerability, nor assessed the
> impact. NIST thinks it is a Big Deal, though, scoring it 9.8/10 [2]
> >
> > It is hard to assess impact since the project does not publish artifacts
> to maven central, but I'm also taking that as an indicator of low adoption
> at this point in time. Further, the project has not had a release since
> 2015. There has been very limited mailing list activity, and the last 5
> years of commits have only been typo/comment fixes.
> >
> > If there is no community around it, is there a path to retirement? What
> are the next steps?
> >
> > Thanks,
> > Mike
> >
> > [1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
> > [2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Re: [jxpath] reported CVE and path forward

Posted by Mark Thomas <ma...@apache.org>.

Hmm.

There are various red flags here that suggest to me that this issue is 
likely not valid.

1. The source is oss-fuzz. I have been dealing with oss-fuzz issues for 
Apache Tomcat and so far out of the 30+ issues raised (the majority 
marked as security relevant) not one of the issues was a vulnerability.

2. The CNA is Google. Google is not authorised to issue CVEs for ASF 
projects accept in strictly limited circumstances that do not apply here.

3. There is no record of CVE-2022-41852 on *ANY* ASF security list.

The next steps are:

- Identify the current JXPath maintainers (or some volunteers to clean
   up this mess)

- Gain access to the details of the reports

- Assess the reports

- Invalidate / update the CVEs as required

I don't see meaningful commits to the repo after 2015 so I suspect we'll 
be looking for volunteers.

Mark



On 10/10/2022 16:19, Mike Drob wrote:
> Howdy folks,
> 
> I recently saw that there was a reported CVE[1] for Apache JXPath that became public due to no response to the reporter over 90 days. I am uncertain if the reporter had tried reaching out to the appropriate security lists before-hand and was ignored, or failed to follow our established procedures. Regardless, the issue is now public.
> 
> I have not personally verified the vulnerability, nor assessed the impact. NIST thinks it is a Big Deal, though, scoring it 9.8/10 [2]
> 
> It is hard to assess impact since the project does not publish artifacts to maven central, but I'm also taking that as an indicator of low adoption at this point in time. Further, the project has not had a release since 2015. There has been very limited mailing list activity, and the last 5 years of commits have only been typo/comment fixes.
> 
> If there is no community around it, is there a path to retirement? What are the next steps?
> 
> Thanks,
> Mike
> 
> [1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
> [2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org