sonar-auth-aad icon indicating copy to clipboard operation
sonar-auth-aad copied to clipboard

Published 20 hours ago verified publisher icon hkamel

Critical CVE found in dependency apache-commons:common-text

Open OneAndOnlySeabass opened this issue 2 years ago • 1 comments

A vulnerability scan performed on our SonarQube Docker image revealed that there is a critical CVE in one of the dependencies of the SonarQube Azure AD plugin, namely org.apache.commons:commons-text. The CVE details can be found here. The Apache commons version used is 1.9, and the vulnerability is mitigated in version 1.10. Could you update the apache-commons:common-text dependency to 1.10 in a future plugin version? Thanks in advance.

OneAndOnlySeabass avatar Oct 17 '22 09:10 OneAndOnlySeabass

Thanks for the info. I usually try to update dependencies before a release, so this will most certainly be updated by then.

That said, I think the AAD plugin is a bit more safe in using the vulnerable version than some projects. The only place we're using commons-text is in processing the group list we get back from Microsoft Graph. To trigger the vulnerability, the attacker would need to create a specially-formatted group name and add users to it so that the name would then get returned when the plugin gets the groups of which the user is a member.

I don't see any other scenarios, but won't deny that I might have missed something.

srvrguy avatar Oct 20 '22 19:10 srvrguy

Thanks for the elaboration, good to hear that the attack surface is limited. Can you give an indication as to when the next release of the AAD plugin is scheduled?

OneAndOnlySeabass avatar Oct 25 '22 09:10 OneAndOnlySeabass

Thanks for the detailed explanation @srvrguy ! Would there be a "patch" short term or another release that changes the version of commons-text include. I understand that OSS is best effort, just trying to see if this is something that can potentially happen in a short term. Any response would be appreciated!

elvovsky avatar Oct 26 '22 15:10 elvovsky

A lot depends on how soon I can get the work complete to migrate away from MSAL4J. I've just recently got group sync working this morning, and need to confirm it also works with the client credential flow introduced in v1.3.

If it looks like there will be a long testing period for the new code, I'll likely release a bugfix update with the patched commons-text dependency and any other urgent dependency updates by mid-November.

srvrguy avatar Oct 26 '22 20:10 srvrguy

Replacing the vulnerable commons-text library included with 1.10.0 still allows the plugin to work okay - at least for us, so that may be an acceptable intermediate option. I accept that it has not gone through the same amount of rigorous testing an official release would have.

jrbrewin avatar Oct 28 '22 09:10 jrbrewin

@srvrguy Hello Michael! Just trying to check and see if you think you can still be on "target" for mid-November release of the fix?
Our security teams want to have dates associated with expected resolution on our side. Any information you can provide in this respect, would be very helpful ! Thank you in advance !

elvovsky avatar Nov 11 '22 19:11 elvovsky

I'm going to be working on merging in the PR to update the library and putting out a new release today, provided nothing more urgent comes up for me.

srvrguy avatar Nov 11 '22 19:11 srvrguy

@srvrguy Thank you for the quick response, Michael! Much appreciated!

elvovsky avatar Nov 11 '22 19:11 elvovsky

Release 1.3.2 is now out, fixing this issue. No other code was changed.

If you don't want to wait until it shows in the update center, you can grab the jar directly from the release link.

srvrguy avatar Nov 11 '22 20:11 srvrguy