Dependency Check Vulnerabilities: Request for Module Updates or Fix Validation

Support
#1

Hi CUBA Team and Community,

we recently ran a Dependency Check on our CUBA-based Application and identified several vulnerabilities (CVEs) within the underlying JARs of the framework modules.

To maintain our security compliance, we have identified potential fixes (version overrides) for several of these. However, we are concerned about potential problems that might occur if we implement those on our own.

Could you please review the table attached below and advise us on:

1.) Are there plans to relase a maintenance update for the platform that adresses the specific JARs?
2.) Is it possible for you to Update the Modules that are having vulnerability issues?
3.) If we apply the Proposed Fix listed below, can you confirm if these versions are known to be compatible or if they might break platform functionality?

Here is the code we use for the overrides:

allprojects {
    configurations.all{
        exclude group:'org.bouncycastle', module:'bcpkix-jdk15on'
        exclude group:'org.bouncycastle', module:'bcprov-jdk15on'
        exclude group:'org.bouncycastle', module:'bcprov-ext-jdk15on'
        exclude group:'jline', module:'jline'

    resolutionStrategy {
        force 'org.apache.commons:commons-lang3:3.18.0'
        force 'org.apache.commons:commons-compress:1.27.1'
        force 'commons-beanutils:commons-beanutils:1.11.0'

        force 'org.springframework:spring-tx:5.3.39'

        force 'org.bouncycastle:bcpkix-jdk18on:1.80'
        force 'org.bouncycastle:bcprov-jdk18on:1.80'
        force 'org.bouncycastle:bcprov-ext-jdk18on:1.80'

        force'org.jline:jline:3.29.0'
        force 'org.owasp.esapi:esapi:2.4.0.0'

        force'org.apache.velocity:velocity-engine-core:2.4.1'
        force'org.apache.velocity:velocity-engine-scripting:2.4.1'
        force'org.apache.santuario:xmlsec:2.2.6'

        eachDependency {
            DependencyResolveDetails details ->
                if(details.requested.group == 'org.codehaus.groovy'){
                    details.useVersion('3.0.21')
                }
                if(details.requested.group == 'org.apache.ant'){
                    details.useVersion('1.9.16')
                }
                if(details.requested.group == 'org.springframework.security') {
                    details.useVersion('5.5.8')
                }
        }
    }
}

}
CUBA Forum Tabelle.pdf (74.9 KB)

1 Like
#4

Hi Damir,

  1. We don’t have any specific schedule for releasing new versions of CUBA. Most probably the next CUBA 7.2.24 patch with updated dependencies will be released in the first half of this year. Unfortunately, not so many compatible dependencies are still being released by vendors. Of course, if a critical security issue is found in our own code, we’ll fix it ASAP.
  2. Any significant (major, minor) changes of versions can break compatibility. Especially if it’s a change of transitive dependency of other 3rd-party dependency. In general we can’t fully confirm if specific change will or will not break something.
  3. The fastest way is to check it on your side on your specific environment.

General notes:
Keep an eye on SLF4j version - it should stay on 1.7.*. If some change transitively upgrades it to 2.x - this most likely will break the logging. In this case try to exclude it.

Notes about some libraries:

  • esapi 2.2.0.0 → 2.4.0.0: looks OK
  • bcprov-jdk15on, bcpkix-jdk15on, bcprov-ext-jdk15on update to their ‘jdk18on’ versions: looks OK with some notes:
    • you mentioned org.bouncycastle:bcprov-ext-jdk18on:1.80 - it doesn’t exist. bcprov-ext-jdk18on exists up to 1.78.1 and then was relocated to bcprov-jdk18on.
    • you also may need to add bcutil-jdk18on:1.80.
  • velocity-engine-core and velocity-engine-scripting 2.0 → 2.4.1: looks OK
  • commons-lang3 3.17.0 → 3.18.0: looks OK
  • commons-beanutils 1.9.3 → 1.11.0: looks ok, but check possible issue with logging.
  • xmlsec 1.5.8 → 2.2.6: added runtime dependency com.fasterxml.woodstox:woodstox-core:5.4.0 which may conflict with the existing one.
  • xercesImpl and xalan updates are OK.
  • spring-security-* 4.2.13: they actually come transitively from legacy library org.springframework.security.extensions:spring-security-saml2-core:1.0.10.RELEASE so it’s hard to say if there are any issues.
  • commons-compress 1.21 → 1.27.1: in the past there was some issue with update it to 1.27.1 but I can’t tell what exactly it was (maybe something with tests). You can try to update.

Can’t say anything about Groovy dependencies and runtime-diagnose-global (it’s a community add-on).

Testing dependencies: they will affect your project only so it should be OK to update till it works for you.

Regards,
Ivan