You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oodt.apache.org by "Baron Du (Jira)" <ji...@apache.org> on 2021/10/06 05:34:00 UTC
[jira] [Created] (OODT-1038) Dependency
org.apache.httpcomponents:httpclient, leading to CVE problem
Baron Du created OODT-1038:
------------------------------
Summary: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
Key: OODT-1038
URL: https://issues.apache.org/jira/browse/OODT-1038
Project: OODT
Issue Type: Improvement
Components: curator
Reporter: Baron Du
Hi, In **oodt-master/curator/sso**,there is a dependency **org.apache.httpcomponents:httpclient:4.4** that calls the risk method.
[CVE-2020-13956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956)
The scope of this CVE affected version is **[4.7,4.13.1))**
After further analysis, in this project, the main Api called is **<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>**
Risk method repair link : [GitHub](https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22)
**CVE Bug Invocation Path--**
**Path Length : 6**
```
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[55]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.oodt.security.sso.opensso.SSOProxy: org.apache.oodt.security.sso.opensso.IdentityDetails readIdentity(java.lang.String,java.lang.String)> (org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in /detect/unzip/oodt-master/curator/sso/target/classes
```
**Dependency tree--**
```
[INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] +- javax.servlet:servlet-api:jar:2.4:compile
[INFO] \- org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
[INFO] +- com.google.guava:guava:jar:19.0:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] | +- commons-pool:commons-pool:jar:1.6:compile
[INFO] | +- junit:junit:jar:4.12:compile
[INFO] | | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
[INFO] | +- joda-time:joda-time:jar:2.9.4:compile
[INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
[INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
[INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
[INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
[INFO] | | +- org.tukaani:xz:jar:1.5:compile
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | \- org.apache.avro:avro-ipc:jar:1.8.2:compile
[INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
[INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
[INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | \- org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
[INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
[INFO] +- org.apache.tika:tika-core:jar:1.13:compile
[INFO] +- org.springframework:spring-core:jar:2.5.4:compile
[INFO] \- org.springframework:spring-hibernate3:jar:2.0.8:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
[INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
[INFO] | +- asm:asm-attrs:jar:1.5.3:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | +- antlr:antlr:jar:2.7.6:compile
[INFO] | +- cglib:cglib:jar:2.1_3:compile
[INFO] | \- asm:asm:jar:1.5.3:compile
[INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
[INFO] +- org.springframework:spring-context:jar:2.5.4:compile
[INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
[INFO] \- org.springframework:spring-jdbc:jar:2.0.8:compile
```
**_Suggested solutions:_**
Update dependency version
Thank you very much.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)