KeePassJava2
KeePassJava2 copied to clipboard
jorabin
[Bug] Issues with Dependencies
There are following CVE issues with some of the dependencies used by KeePassJava2 that need to be addressed:
- commons-codec:commons-codec:jar:1.10: WS-2019-0379: This library is vulnerable to information disclosure due to Improper Input validation.
- org.simpleframework:simple-xml:jar:2.7.1: CVE-2017-1000190: SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.
- com.google.guava:guava:jar:20.0: CVE-2018-10237 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
These CVEs need to be addressed on KeePassJava2 library.
Concerning vulnerability with SimpleXML it related to external entities https://github.com/ngallagher/simplexml/issues/18 which could be embedded into XML resulting to possible attack using references to external files/resources. I think it's inapplicable to our case, since Keepass uses XML's to store data in encrypted way, it forms XML internally and I don't see a way for attacker how to exploit this vulnerability.
Pavel Ivanov Skype: ivanovpv [email protected]
On Thu, Oct 29, 2020 at 2:45 AM Vinay Gera [email protected] wrote:
There are following CVE issues with some of the dependencies used by KeePassJava2 that need to be addressed:
- commons-codec:commons-codec:jar:1.10: WS-2019-0379: This library is vulnerable to information disclosure due to Improper Input validation.
- org.simpleframework:simple-xml:jar:2.7.1: CVE-2017-1000190 https://nvd.nist.gov/vuln/detail/CVE-2017-1000190: SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.
- com.google.guava:guava:jar:20.0: CVE-2018-10237 https://nvd.nist.gov/vuln/detail/CVE-2018-10237 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jorabin/KeePassJava2/issues/26, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ7UTC76L5MRH5SJ37HOJTSNCUKJANCNFSM4TDAFLNA .
@jorabin is there any update on this ?
Thanks for the heads up @g2vinay and thanks @ivanovpv for the analysis. I'm planning to take a bit of down time over the holiday season and will try to address this (also to merge the V4 branch which is readonly right now)
com.carrotsearch.thirdparty:simple-xml-safe:2.7.1 appears to have a fixed version of simple-xml maybe you can use that version?
Got that from here: https://github.com/ngallagher/simplexml/issues/18
Hi @g2vinay - plan to do something on this over the next few weeks. Have been delayed by being unable to run VMWare Win 10 on macOS Catalina, but that's now sorted. What's not sorted is that Travis no longer supports Java 7 etc.
@jorabin Just checking in, if there are any updates or any ETA for the new release with CVEs fixed.
The recent version of SC (com.madgag.spongycastle:core dependency of KeyPassJava2) is 1.58, forked from on BC (Bouncy Castle) 1.58, released back in 2017. Since then, there are many bc releases happened, with the latest version being BC 1.68.
It seems SC is vulnerable to several exploits - including CVE-2016-1000343 and CVE-2020-26939; it seems SC is no longer maintained https://github.com/rtyley/spongycastle/issues/34
Any news about migration to Bouncy Castle? At this time, it is 1.70 (2021-11-29):
- https://www.bouncycastle.org/releasenotes.html
Hi, thanks for this. I do still intend to update the dependencies, merge the feature branch for v4 files and more. However I quite simply don't have the time to say that will happen soon.
I have "finally" pushed updates that address the various vulnerabilities pointed out in this issue and in this thread, including reverting to using bouncy castle and using version of simple-xml-safe per suggestion from @rhuddleston
That being the case, and although this version 2.2 not yet pushed to maven central, I think this issue can be closed, at last, OK with you @g2vinay ?
@ng-23, @jorabin: Thanks for your changes!
But can you look for update Bouncy Castle to last version?
- https://www.bouncycastle.org/releasenotes.html
Hi @Neustradamus Bouncy Castle dependency is 1.70 which is the latest version: https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on
Oh, did you mean that we should be using bcprov-jdk18on? I think that we should be, actually. latest releases at bouncycastle.org i.e. https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on, in which case it's 1.73.
@jorabin: Yes, it is noted here: https://www.bouncycastle.org/latest_releases.html
@jorabin: Thanks but have you looked new Bouncy Castle version?
Now, it is 1.76 (there was a CVE fix in 1.74):
- https://bouncycastle.org/releasenotes.html
- https://bouncycastle.org/latest_releases.html