El Alto MSB Security/Vulnerability Report

Owned by Amy Zwarico
Nov 02, 2019
7 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

msb-apigateway

com.fasterxml.jackson.core

CVE-2019-12086

Effective

No

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

MSB Project will monitor for a fix.

msb-apigateway

jquery

N/A

Effective 

Yes

The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code.

MSB Project will update the dependency to a newer version in which the issue is fixed.

msb-apigateway

com.squareup.okhttp3

CVE-2018-20200

Effective 

Yes

** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

MSB Project will update the dependency to a newer version in which the issue is fixed.

msb-apigateway

commons-codec

N/A

Effective 

No

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

MSB Project will monitor for a fix.

msb-apigateway

org.eclipse.jetty

CVE-2019-10241

CVE-2019-10247

Effective 

No

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS.

MSB Project will monitor for a fix.

msb-apigateway

org.eclipse.jetty

CVE-2019-10241

CVE-2019-10246

Effective 

No

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS.

MSB Project will monitor for a fix.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

msb-discovery

com.fasterxml.jackson.core

CVE-2019-12086

Effective 

No

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

MSB Project will monitor for a fix.

msb-discovery

com.smoketurner.dropwizard 

CVE-2019-12086

CVE-2019-10241

CVE-2019-10246

CVE-2019-10247

Ineffective

zipkin-example will not be invoked in the MSB codes.

No

The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code.

Can't find zipkin-example jar in the dependency tree, it might not exist or a false report by nexus IQ.

msb-discovery

commons-codec

N/A

Effective 

No

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

MSB Project will monitor for a fix.

msb-discovery

org.eclipse.jetty

CVE-2019-10241

CVE-2019-10247

Effective 

No

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS.

MSB Project will monitor for a fix.

msb-discovery

org.eclipse.jetty

CVE-2019-10241

CVE-2019-10246

Effective 

No

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS.

MSB Project will monitor for a fix.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

msb-java-sdk

com.fasterxml.jackson.core

CVE-2018-7489

Effective 

No

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

MSB Project will monitor for a fix.

msb-java-sdk

com.squareup.okhttp3

CVE-2018-20200

Effective

Yes

** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

MSB Project will update the dependency to a newer version in which the issue is fixed.

msb-java-sdk

commons-codec

N/A

Effective

No

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

MSB Project will monitor for a fix.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

msb-swagger-sdk

com.fasterxml.jackson.core

CVE-2017-7525

Effective

No

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. Ticket #54030 has been opened with the LF by dmaap team.

MSB Project will monitor for a fix.

msb-swagger-sdk

com.fasterxml.jackson.dataformat

CVE-2016-3720

Effective

Yes

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors. ackson, a library to serialize or map Java objects to JSON, is vulnerable to an XML External Entity (XXE) attack as it processes external entities within XML input. The XmlFactory() method in XmlFactory.java does not disable external entities in the input XML data. A remote attacker can exploit the vulnerability by maliciously crafting the input XML file with external entities which when parsed leads to disclosure of sensitive data on the server for which the application has access to.

MSB Project will update the dependency to a newer version in which the issue is fixed.

msb-swagger-sdk

com.fasterxml.jackson.dataformat

CVE-2016-7051

Effective

No

XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. Jackson's jackson-dataformat-xml component is vulnerable to Server-Side Request Forgery. The XmlFactory() function in XmlFactory.class processes Document Type Definitions (DTDs) within XML input without any validation. A remote attacker can exploit the vulnerability by crafting the input XML file with malicious DTDs which when parsed leads to Server-Side Request Forgery and may lead to further attacks.

MSB Project will monitor for a fix.

msb-swagger-sdk

commons-beanutils

CVE-2014-0114

Effective

No

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. pache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution. If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control.

MSB Project will monitor for a fix.

msb-swagger-sdk

commons-collections

N/A

Effective

Yes

The commons-collections package is vulnerable to Remote Code Execution (RCE). Due to the behavior of InvokerTransformer, a remote code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections is present on the classpath. The intended behavior of InvokerTransformer is to allow for the invocation of any method on the Java classpath. The InvokerTransformer class implements Serializable and therefore can be included in a serialized object. A combination of the intended functionality of the InvokerTransformer class and its serializable nature allows an attacker to embed malicious content, such as Runtime.getRuntime().exec() via Java reflection, allowing execution of remote code.

MSB Project will update the dependency to a newer version in which the issue is fixed.