El Alto Holmes Security/Vulnerability Report

Owned by Amy Zwarico
Nov 02, 2019
6 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

holmes-common

com.fasterxml.jackson.core

CVE-2018-7489

Ineffective

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-common does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by msb-java-sdk. Also, the MSB team has declared this to be a false positive.

No

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Since it’s a false positive, we are not going to fix this at the moment.

holmes-common

commons-codec

N/A

Effective

Yes

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

HOLMES-284: Resolve commons-codec vulnerability issues.Closed



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

holmes-engine-management

com.fasterxml.jackson.core

N/A

Ineffective

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-engine-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core.

To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard.

From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes.

No

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Since it does not cause any actual vulnerability problem, we are not going to fix this for now.

holmes-engine-management

com.fasterxml.jackson.core

CVE-2019-12086

Ineffective

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-rule-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core.

To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard.

From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes.

No

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. The jackson-databind component contains an Insecure Deserialization Vulnerability. The validateSubType() function in the SubTypeValidator class allows untrusted input to be deserialized as a com.mysql.cj.jdbc.admin.MiniAdmin instance. A remote attacker can exploit this behavior by submitting a crafted JSON payload to a deserializing endpoint that uses jackson-databind. The attacker's deserialized Java object may then create a connection with an attacker controlled MySql server. When running a mysql-connector-java jar versioned 8.0.14 and earlier, the attacker's MySql server may read arbitrary files accessible by the vulnerable application when the connection is established. The application is vulnerable by using this component if a mysql-connector-java jar versioned 8.0.14 or lower is in the classpath while Default Typing is enabled.

Since it does not cause any actual vulnerability problem, we are not going to fix this for now.

holmes-engine-management

com.thoughtworks.xstream

CVE-2013-7285

Effective

Yes

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. XStream does not provide security checks when creating Java objects. When untrusted data is processed, an attacker can provide crafted data that allows arbitrary code execution resulting in access to the host system that is only limited by the privileges of the running application.

HOLMES-285: Resolve xstream vulerability issues.Closed

holmes-engine-management

com.thoughtworks.xstream

CVE-2019-10173

Effective

Yes

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

HOLMES-285: Resolve xstream vulerability issues.Closed

holmes-engine-management

commons-codec

N/A

Effective

Yes

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

HOLMES-284: Resolve commons-codec vulnerability issues.Closed



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

holmes-rule-management

com.fasterxml.jackson.core

N/A

Ineffective

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-engine-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core.

To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard.

From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes.

No

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Since it does not cause any actual vulnerability problem, we are not going to fix this for now.

holmes-rule-management

com.fasterxml.jackson.core

CVE-2019-12086

Ineffective

Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

holmes-rule-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core.

To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard.

From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes.

No

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. The jackson-databind component contains an Insecure Deserialization Vulnerability. The validateSubType() function in the SubTypeValidator class allows untrusted input to be deserialized as a com.mysql.cj.jdbc.admin.MiniAdmin instance. A remote attacker can exploit this behavior by submitting a crafted JSON payload to a deserializing endpoint that uses jackson-databind. The attacker's deserialized Java object may then create a connection with an attacker controlled MySql server. When running a mysql-connector-java jar versioned 8.0.14 and earlier, the attacker's MySql server may read arbitrary files accessible by the vulnerable application when the connection is established. The application is vulnerable by using this component if a mysql-connector-java jar versioned 8.0.14 or lower is in the classpath while Default Typing is enabled.

Since it does not cause any actual vulnerability problem, we are not going to fix this for now.

holmes-rule-management

commons-codec

N/A

Effective

Yes

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

HOLMES-284: Resolve commons-codec vulnerability issues.Closed

holmes-rule-management

commons-codec

N/A

Effective

Yes

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

HOLMES-284: Resolve commons-codec vulnerability issues.Closed