Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is javalite-2.6-j8 affected by the vulnerability of Apache Commons Text? #1245

Open
ZeyuLiu12 opened this issue Oct 19, 2022 · 3 comments
Open

Is javalite-2.6-j8 affected by the vulnerability of Apache Commons Text? #1245

ZeyuLiu12 opened this issue Oct 19, 2022 · 3 comments
Assignees
@ipolevoy
Labels
bug Module-Async

Comments

@ZeyuLiu12
Copy link

A vulnerability was found in Apache Commons Text recently, javalite-2.6-j8 contains passive dependencies commons-text 1.8
Is javalite-2.6-j8 affected by that?
Details could be found in: https://seclists.org/oss-sec/2022/q4/22
GHSA-599f-7c49-w659: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
Thanks.
@ipolevoy
@ipolevoy
Copy link
Member

The JavaLite Async uses Apache Artemis, which, in turn pulls org.apache.commons:commons-text:jar:1.9. I will see to upgrade the ApacheArtemis to the latest. This should fix this issue.

[INFO] org.javalite:javalite-async:jar:3.0-SNAPSHOT
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.javalite:javalite-common:jar:3.0-SNAPSHOT:compile
[INFO] |  +- org.dom4j:dom4j:jar:2.1.3:compile
[INFO] |  +- jaxen:jaxen:jar:1.2.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] |  \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] +- org.javalite:activejdbc:jar:3.0-SNAPSHOT:compile
[INFO] |  \- org.javalite:app-config:jar:3.0-SNAPSHOT:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] +- org.apache.activemq:artemis-server:jar:2.24.0:compile
[INFO] |  +- com.google.guava:guava:jar:30.1-jre:compile
[INFO] |  |  \- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.5.0.Final:compile
[INFO] |  +- org.jboss.logmanager:jboss-logmanager:jar:2.1.18.Final:compile
[INFO] |  |  \- org.wildfly.common:wildfly-common:jar:1.5.1.Final:compile
[INFO] |  +- org.apache.activemq:artemis-commons:jar:2.24.0:compile
[INFO] |  +- org.apache.activemq:artemis-selector:jar:2.24.0:compile
[INFO] |  +- org.apache.activemq:artemis-journal:jar:2.24.0:compile
[INFO] |  +- org.apache.activemq:artemis-jdbc-store:jar:2.24.0:compile
[INFO] |  |  \- org.apache.commons:commons-dbcp2:jar:2.7.0:compile
[INFO] |  |     \- org.apache.commons:commons-pool2:jar:2.7.0:compile
[INFO] |  +- org.apache.activemq:artemis-core-client:jar:2.24.0:compile
[INFO] |  |  +- org.jgroups:jgroups:jar:5.2.0.Final:compile
[INFO] |  |  +- io.netty:netty-handler-proxy:jar:4.1.77.Final:compile
[INFO] |  |  \- io.netty:netty-codec-socks:jar:4.1.77.Final:compile
[INFO] |  +- org.apache.activemq:artemis-quorum-api:jar:2.24.0:compile
[INFO] |  +- org.apache.activemq:activemq-artemis-native:jar:1.0.2:compile
[INFO] |  +- org.jctools:jctools-core:jar:2.1.2:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.77.Final:compile
[INFO] |  |  \- io.netty:netty-resolver:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.77.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-unix-common:jar:4.1.77.Final:compile
[INFO] |  |  \- io.netty:netty-transport-classes-epoll:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.77.Final:compile
[INFO] |  |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec:jar:4.1.77.Final:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  +- org.apache.commons:commons-configuration2:jar:2.8.0:compile
[INFO] |  |  +- org.apache.commons:commons-lang3:jar:3.11:test
[INFO] |  |  \- org.apache.commons:commons-text:jar:1.9:compile <<<<<<<<------------------- HERE!!!

@ipolevoy
Copy link
Member

@ZeyuLiu12 unfortunately upgrading to artemis-server 2.6.0 (Latest) did not solve the issue:

[INFO] |  +- org.apache.activemq:artemis-server:jar:2.26.0:compile
[INFO] |  |  +- com.google.guava:guava:jar:30.1-jre:compile
[INFO] |  |  |  \- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.5.0.Final:compile
[INFO] |  |  +- org.jboss.logmanager:jboss-logmanager:jar:2.1.18.Final:compile
[INFO] |  |  |  \- org.wildfly.common:wildfly-common:jar:1.5.1.Final:compile
[INFO] |  |  +- org.apache.activemq:artemis-commons:jar:2.26.0:compile
[INFO] |  |  +- org.apache.activemq:artemis-selector:jar:2.26.0:compile
[INFO] |  |  +- org.apache.activemq:artemis-journal:jar:2.26.0:compile
[INFO] |  |  +- org.apache.activemq:artemis-jdbc-store:jar:2.26.0:compile
[INFO] |  |  |  \- org.apache.commons:commons-dbcp2:jar:2.7.0:compile
[INFO] |  |  |     \- org.apache.commons:commons-pool2:jar:2.7.0:compile
[INFO] |  |  +- org.apache.activemq:artemis-core-client:jar:2.26.0:compile
[INFO] |  |  |  +- org.jgroups:jgroups:jar:5.2.0.Final:compile
[INFO] |  |  |  +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec-socks:jar:4.1.79.Final:compile
[INFO] |  |  +- org.apache.activemq:artemis-quorum-api:jar:2.26.0:compile
[INFO] |  |  +- org.apache.activemq:activemq-artemis-native:jar:1.0.2:compile
[INFO] |  |  +- org.jctools:jctools-core:jar:2.1.2:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-transport:jar:4.1.79.Final:compile
[INFO] |  |  |  \- io.netty:netty-resolver:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-codec-http:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-common:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-handler:jar:4.1.79.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.79.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-classes-epoll:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.79.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.79.Final:compile
[INFO] |  |  +- io.netty:netty-codec:jar:4.1.79.Final:compile
[INFO] |  |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  |  +- org.apache.commons:commons-configuration2:jar:2.8.0:compile
[INFO] |  |  |  +- org.apache.commons:commons-lang3:jar:3.11:test
[INFO] |  |  |  \- org.apache.commons:commons-text:jar:1.9:compile <<<<<--------------------- here

as you can see, org.apache.commons:commons-configuration2:jar:2.8.0:compile pulls org.apache.commons:commons-text:jar:1.9:compile as a dependency. The artemis-server v 2.6 is the latest available. This means that the bug needs to be reported there: https://activemq.apache.org/issues

@ZeyuLiu12 would you be so kind and report this to the ActiveMQ team here: https://activemq.apache.org/issues?

@ipolevoy ipolevoy self-assigned this Oct 19, 2022
@ZeyuLiu12
Copy link
Author

@ipolevoy okay, thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ipolevoy ipolevoy

Labels
bug Module-Async
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ipolevoy @ZeyuLiu12