You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oodt.apache.org by "che (Jira)" <ji...@apache.org> on 2022/02/10 10:58:00 UTC
[jira] [Updated] (OODT-1041) Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
[ https://issues.apache.org/jira/browse/OODT-1041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
che updated OODT-1041:
----------------------
Description:
Hi, In {*}{{*}}oodt-master/curator/sso{*}{{*}},there is a dependency *{*}org.apache.httpcomponents:httpclient:4.4{*}* that calls the risk method.
[CVE-2020-13956]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956])
The scope of this CVE affected version is {*}{{*}}[,4.5.13){{*}}{*}
After further analysis, in this project, the main Api called is {*}{{*}}<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>{{*}}{*}
Risk method repair link : [GitHub]([https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22])
{*}{{*}}CVE Bug Invocation Path--{{*}}{*}
{*}{{*}}Path Length : 6{{*}}{*}
```
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[55]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.oodt.security.sso.opensso.SSOProxy: org.apache.oodt.security.sso.opensso.IdentityDetails readIdentity(java.lang.String,java.lang.String)> (org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in /detect/unzip/oodt-master/curator/sso/target/classes
```
{*}{{*}}Dependency tree--{{*}}{*}
```
[INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] | - org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] +- javax.servlet:servlet-api:jar:2.4:compile
[INFO] - org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
[INFO] +- com.google.guava:guava:jar:19.0:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] | +- commons-pool:commons-pool:jar:1.6:compile
[INFO] | +- junit:junit:jar:4.12:compile
[INFO] | | - org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] | | - xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
[INFO] | +- joda-time:joda-time:jar:2.9.4:compile
[INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
[INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
[INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
[INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
[INFO] | | +- org.tukaani:xz:jar:1.5:compile
[INFO] | | - org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | - org.apache.avro:avro-ipc:jar:1.8.2:compile
[INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
[INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
[INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | - org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
[INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
[INFO] +- org.apache.tika:tika-core:jar:1.13:compile
[INFO] +- org.springframework:spring-core:jar:2.5.4:compile
[INFO] - org.springframework:spring-hibernate3:jar:2.0.8:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
[INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
[INFO] | +- asm:asm-attrs:jar:1.5.3:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | +- antlr:antlr:jar:2.7.6:compile
[INFO] | +- cglib:cglib:jar:2.1_3:compile
[INFO] | - asm:asm:jar:1.5.3:compile
[INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
[INFO] +- org.springframework:spring-context:jar:2.5.4:compile
[INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
[INFO] - org.springframework:spring-jdbc:jar:2.0.8:compile
```
{*}{{*}}{_}Suggested solutions:{_}{{*}}{*}
Update dependency version
Thank you very much.
was:
Hi, In *{*}oodt-master/curator/sso{*}{*},there is a dependency **org.apache.httpcomponents:httpclient:4.4{*}* that calls the risk method.
[CVE-2020-13956]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956])
The scope of this CVE affected version is *{*}[4.7,4.13.1)){*}*
After further analysis, in this project, the main Api called is *{*}<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>{*}*
Risk method repair link : [GitHub]([https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22])
*{*}CVE Bug Invocation Path--{*}*
*{*}Path Length : 6{*}*
```
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[55]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.oodt.security.sso.opensso.SSOProxy: org.apache.oodt.security.sso.opensso.IdentityDetails readIdentity(java.lang.String,java.lang.String)> (org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in /detect/unzip/oodt-master/curator/sso/target/classes
```
*{*}Dependency tree--{*}*
```
[INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
[INFO] +- commons-codec:commons-codec:jar:1.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] | - org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] +- javax.servlet:servlet-api:jar:2.4:compile
[INFO] - org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
[INFO] +- com.google.guava:guava:jar:19.0:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] | +- commons-pool:commons-pool:jar:1.6:compile
[INFO] | +- junit:junit:jar:4.12:compile
[INFO] | | - org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] | | - xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
[INFO] | +- joda-time:joda-time:jar:2.9.4:compile
[INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
[INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
[INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
[INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
[INFO] | | +- org.tukaani:xz:jar:1.5:compile
[INFO] | | - org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | - org.apache.avro:avro-ipc:jar:1.8.2:compile
[INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
[INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
[INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | - org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
[INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
[INFO] +- org.apache.tika:tika-core:jar:1.13:compile
[INFO] +- org.springframework:spring-core:jar:2.5.4:compile
[INFO] - org.springframework:spring-hibernate3:jar:2.0.8:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
[INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
[INFO] | +- asm:asm-attrs:jar:1.5.3:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | +- antlr:antlr:jar:2.7.6:compile
[INFO] | +- cglib:cglib:jar:2.1_3:compile
[INFO] | - asm:asm:jar:1.5.3:compile
[INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
[INFO] +- org.springframework:spring-context:jar:2.5.4:compile
[INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
[INFO] - org.springframework:spring-jdbc:jar:2.0.8:compile
```
*{*}_Suggested solutions:_{*}*
Update dependency version
Thank you very much.
> Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
> -----------------------------------------------------------------------
>
> Key: OODT-1041
> URL: https://issues.apache.org/jira/browse/OODT-1041
> Project: OODT
> Issue Type: Bug
> Reporter: che
> Priority: Major
>
> Hi, In {*}{{*}}oodt-master/curator/sso{*}{{*}},there is a dependency *{*}org.apache.httpcomponents:httpclient:4.4{*}* that calls the risk method.
> [CVE-2020-13956]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956])
> The scope of this CVE affected version is {*}{{*}}[,4.5.13){{*}}{*}
> After further analysis, in this project, the main Api called is {*}{{*}}<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>{{*}}{*}
> Risk method repair link : [GitHub]([https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22])
> {*}{{*}}CVE Bug Invocation Path--{{*}}{*}
> {*}{{*}}Path Length : 6{{*}}{*}
> ```
> <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
> at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[55]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
> at <org.apache.oodt.security.sso.opensso.SSOProxy: org.apache.oodt.security.sso.opensso.IdentityDetails readIdentity(java.lang.String,java.lang.String)> (org.apache.oodt.security.sso.opensso.SSOProxy.java:[150]) in /detect/unzip/oodt-master/curator/sso/target/classes
> ```
> {*}{{*}}Dependency tree--{{*}}{*}
> ```
> [INFO] org.apache.oodt:curator-sso:jar:1.10-SNAPSHOT
> [INFO] +- commons-codec:commons-codec:jar:1.3:compile
> [INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
> [INFO] | - org.apache.httpcomponents:httpcore:jar:4.4:compile
> [INFO] +- javax.servlet:servlet-api:jar:2.4:compile
> [INFO] - org.apache.oodt:cas-metadata:jar:1.10-SNAPSHOT:compile
> [INFO] +- com.google.guava:guava:jar:19.0:compile
> [INFO] +- commons-io:commons-io:jar:2.5:compile
> [INFO] +- commons-lang:commons-lang:jar:2.6:compile
> [INFO] +- commons-logging:commons-logging:jar:1.2:compile
> [INFO] +- org.apache.oodt:oodt-commons:jar:1.10-SNAPSHOT:compile
> [INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
> [INFO] | +- commons-dbcp:commons-dbcp:jar:1.4:compile
> [INFO] | +- commons-pool:commons-pool:jar:1.6:compile
> [INFO] | +- junit:junit:jar:4.12:compile
> [INFO] | | - org.hamcrest:hamcrest-core:jar:1.3:compile
> [INFO] | +- xerces:xercesImpl:jar:2.9.1:compile
> [INFO] | | - xml-apis:xml-apis:jar:1.3.04:compile
> [INFO] | +- xmlrpc:xmlrpc:jar:2.0.1:compile
> [INFO] | +- joda-time:joda-time:jar:2.9.4:compile
> [INFO] | +- org.apache.avro:avro:jar:1.8.2:compile
> [INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] | | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] | | +- com.thoughtworks.paranamer:paranamer:jar:2.7:compile
> [INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.1.3:compile
> [INFO] | | +- org.apache.commons:commons-compress:jar:1.12:compile
> [INFO] | | +- org.tukaani:xz:jar:1.5:compile
> [INFO] | | - org.slf4j:slf4j-api:jar:1.7.12:compile
> [INFO] | - org.apache.avro:avro-ipc:jar:1.8.2:compile
> [INFO] | +- org.mortbay.jetty:jetty:jar:6.1.25:compile
> [INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.25:compile
> [INFO] | +- io.netty:netty:jar:3.5.13.Final:compile
> [INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
> [INFO] | - org.mortbay.jetty:servlet-api:jar:2.5-20081211:compile
> [INFO] +- org.apache.oodt:pcs-input:jar:1.10-SNAPSHOT:compile
> [INFO] +- org.apache.tika:tika-core:jar:1.13:compile
> [INFO] +- org.springframework:spring-core:jar:2.5.4:compile
> [INFO] - org.springframework:spring-hibernate3:jar:2.0.8:compile
> [INFO] +- aopalliance:aopalliance:jar:1.0:compile
> [INFO] +- org.hibernate:hibernate:jar:3.2.5.ga:compile
> [INFO] | +- net.sf.ehcache:ehcache:jar:1.2.3:compile
> [INFO] | +- asm:asm-attrs:jar:1.5.3:compile
> [INFO] | +- dom4j:dom4j:jar:1.6.1:compile
> [INFO] | +- antlr:antlr:jar:2.7.6:compile
> [INFO] | +- cglib:cglib:jar:2.1_3:compile
> [INFO] | - asm:asm:jar:1.5.3:compile
> [INFO] +- org.springframework:spring-beans:jar:2.5.4:compile
> [INFO] +- org.springframework:spring-context:jar:2.5.4:compile
> [INFO] +- org.springframework:spring-dao:jar:2.0.8:compile
> [INFO] - org.springframework:spring-jdbc:jar:2.0.8:compile
> ```
> {*}{{*}}{_}Suggested solutions:{_}{{*}}{*}
> Update dependency version
>
> Thank you very much.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)