amazon-sqs-java-messaging-lib icon indicating copy to clipboard operation
amazon-sqs-java-messaging-lib copied to clipboard

Published 20 hours ago verified publisher icon awslabs

CVE-2011-5034 on geronimo

Open mkaminskimichal opened this issue 3 years ago • 4 comments

Please update the Geronimo dependency to >2.2.1 to remove vulnerability

mkaminskimichal avatar Oct 07 '21 21:10 mkaminskimichal

Guys, any updates regarding this issue?

maksymgrydz avatar Dec 20 '21 14:12 maksymgrydz

Same here. We're using anchore to scan our builds and it is showing the vulnerability too.

vghero avatar Feb 07 '22 10:02 vghero

i would like to "bump" that :-)

simonDeHero avatar Feb 07 '22 12:02 simonDeHero

👍

volkanto avatar Jul 07 '22 09:07 volkanto

Will look into this shortly

ziyanli-amazon avatar Oct 04 '22 21:10 ziyanli-amazon

Upon checking, looks like our JMS repo depends on org.apache.geronimo.specs » geronimo-jms_1.1_spec. While i don't have access to geronimo-jms repo, do we know how to upgrade to 2.2.x in this case?

ziyanli-amazon avatar Oct 06 '22 17:10 ziyanli-amazon

I found this regarding the issue, maybe can help?

volkanto avatar Nov 29 '22 11:11 volkanto

I checked the geronimo spec jar file and there are mainly interfaces in there. Additionally exceptions and two actual classes namely QueueRequestor and TopicRequestor. But their impl is minimal. So I would agree, that this is not about the spec being vulnerable, but some of the servers implementing it - which are named in the related CVEs (Geronimo, Glassfish etc.).

So either one could ignore this false positive on the scanner or one could try to use a different JMS 1.1 API jar like this one.

I compared both jars and filename and counts are identical (class/package wise). I even extracted method signatures of all class files and compared them. All are identical except the mentioned two *Requestors. They differ in package private field vs. private fields. As this should not matter in a spec, I would say it should be a drop-in replacement. WDYT?

I also saw this here (without -rev1), but sadly trying to fetch the jar results in 404.

To see by yourself, simply extract those jars into separate dirs and do

for i in * ; do javap $i > $i.txt; done

Then delete the .classes and compare both javax/jms dirs with your favourite compare tool.

vghero avatar Nov 29 '22 13:11 vghero

Thanks for the diving deep @vghero !! Very insightful info. I can try to have us on this. WDYT?

<dependency>
    <groupId>javax.jms</groupId>
    <artifactId>jms-api</artifactId>
    <version>1.1-rev-1</version>
</dependency>

ziyanli-amazon avatar Dec 02 '22 20:12 ziyanli-amazon

Yeah looks good. Triplechecked what the Spring guys were using with their 4.3.x version for spring-jms. They use the same. So good to go I would say :grin:.

For JMS 2.x they use https://mvnrepository.com/artifact/jakarta.jms/jakarta.jms-api meanwhile.

vghero avatar Dec 05 '22 08:12 vghero

Thanks @vghero I have pushed the changes for both v1 and master branch. Will credit you in the release

ziyanli-amazon avatar Dec 05 '22 23:12 ziyanli-amazon