You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Nick Monkman (Jira)" <ji...@apache.org> on 2021/03/19 16:15:00 UTC
[jira] [Comment Edited] (WSS-683) WSS4J depends on Velocity 1.7
which contains a security vulnerability (CVE-2020-13936)
[ https://issues.apache.org/jira/browse/WSS-683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304999#comment-17304999 ]
Nick Monkman edited comment on WSS-683 at 3/19/21, 4:14 PM:
------------------------------------------------------------
Yes. Here is the relevant output of 'gradle dependencies'. The \{{velocity-1.7 }} reference is near the bottom
{noformat}
| +--- org.apache.wss4j:wss4j-ws-security-common:2.3.1
| | +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
| | +--- org.apache.santuario:xmlsec:2.2.1
| | | +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
| | | +--- commons-codec:commons-codec:1.15
| | | \--- com.fasterxml.woodstox:woodstox-core:5.2.1
| | | \--- org.codehaus.woodstox:stax2-api:4.2
| | +--- org.opensaml:opensaml-saml-impl:3.4.5
| | | +--- org.opensaml:opensaml-profile-api:3.4.5
| | | | +--- org.opensaml:opensaml-core:3.4.5
| | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | +--- io.dropwizard.metrics:metrics-core:3.1.2
| | | | | | \--- org.slf4j:slf4j-api:1.7.7 -> 1.8.0-beta2
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1
| | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | | +--- com.google.code.findbugs:jsr305:3.0.1 -> 3.0.2
| | | | | | +--- com.google.guava:guava:20.0 -> 29.0-jre (*)
| | | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- org.opensaml:opensaml-messaging-api:3.4.5
| | | | | +--- org.opensaml:opensaml-core:3.4.5 (*)
| | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-saml-api:3.4.5
| | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5
| | | | | +--- org.opensaml:opensaml-security-api:3.4.5
| | | | | | +--- org.opensaml:opensaml-core:3.4.5 (*)
| | | | | | +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
| | | | | | +--- org.bouncycastle:bcprov-jdk15on:1.59 -> 1.68
| | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- org.opensaml:opensaml-soap-api:3.4.5
| | | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
| | | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
| | | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-storage-api:3.4.5
| | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-storage-api:3.4.5 (*)
| | | +--- org.opensaml:opensaml-security-impl:3.4.5
| | | | +--- org.opensaml:opensaml-security-api:3.4.5 (*)
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-xmlsec-impl:3.4.5
| | | | +--- org.opensaml:opensaml-core:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-security-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
| | | | +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
| | | | +--- org.opensaml:opensaml-security-impl:3.4.5 (*)
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-soap-impl:3.4.5
| | | | +--- org.opensaml:opensaml-soap-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.apache.velocity:velocity:1.7
| | | | +--- commons-collections:commons-collections:3.2.1 -> 3.2.2
| | | | \--- commons-lang:commons-lang:2.4
| | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
| | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2{noformat}
was (Author: kraberus):
Yes. Here is the relevant output of 'gradle dependencies'. The {{velocity-1.7 }}reference is near the bottom
{noformat}
| +--- org.apache.wss4j:wss4j-ws-security-common:2.3.1
| | +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
| | +--- org.apache.santuario:xmlsec:2.2.1
| | | +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
| | | +--- commons-codec:commons-codec:1.15
| | | \--- com.fasterxml.woodstox:woodstox-core:5.2.1
| | | \--- org.codehaus.woodstox:stax2-api:4.2
| | +--- org.opensaml:opensaml-saml-impl:3.4.5
| | | +--- org.opensaml:opensaml-profile-api:3.4.5
| | | | +--- org.opensaml:opensaml-core:3.4.5
| | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | +--- io.dropwizard.metrics:metrics-core:3.1.2
| | | | | | \--- org.slf4j:slf4j-api:1.7.7 -> 1.8.0-beta2
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1
| | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | | +--- com.google.code.findbugs:jsr305:3.0.1 -> 3.0.2
| | | | | | +--- com.google.guava:guava:20.0 -> 29.0-jre (*)
| | | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- org.opensaml:opensaml-messaging-api:3.4.5
| | | | | +--- org.opensaml:opensaml-core:3.4.5 (*)
| | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-saml-api:3.4.5
| | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5
| | | | | +--- org.opensaml:opensaml-security-api:3.4.5
| | | | | | +--- org.opensaml:opensaml-core:3.4.5 (*)
| | | | | | +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
| | | | | | +--- org.bouncycastle:bcprov-jdk15on:1.59 -> 1.68
| | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- org.opensaml:opensaml-soap-api:3.4.5
| | | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
| | | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
| | | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-storage-api:3.4.5
| | | | | +--- joda-time:joda-time:2.9 -> 2.10.8
| | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-storage-api:3.4.5 (*)
| | | +--- org.opensaml:opensaml-security-impl:3.4.5
| | | | +--- org.opensaml:opensaml-security-api:3.4.5 (*)
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-xmlsec-impl:3.4.5
| | | | +--- org.opensaml:opensaml-core:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-security-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
| | | | +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
| | | | +--- org.opensaml:opensaml-security-impl:3.4.5 (*)
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.opensaml:opensaml-soap-impl:3.4.5
| | | | +--- org.opensaml:opensaml-soap-api:3.4.5 (*)
| | | | +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
| | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
| | | +--- org.apache.velocity:velocity:1.7
| | | | +--- commons-collections:commons-collections:3.2.1 -> 3.2.2
| | | | \--- commons-lang:commons-lang:2.4
| | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
| | | +--- net.shibboleth.utilities:java-support:7.5.1 (*)
| | | +--- commons-codec:commons-codec:1.10 -> 1.15
| | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2{noformat}
> WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)
> --------------------------------------------------------------------------------------
>
> Key: WSS-683
> URL: https://issues.apache.org/jira/browse/WSS-683
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.3.1
> Reporter: Nick Monkman
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Labels: security
>
> WSS4J has a transitive dependency on velocity 1.7 (via OpenSAML 3.x) which is subject to a high security vulnerability ( [https://nvd.nist.gov/vuln/detail/CVE-2020-13936] )
> WSS4J should update its OpenSAML dependency to 4.x thereby allowing velocity-core-engine to be updated to the patched version (2.3)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org