Qualys reports that there are severe vulnerabilities in geoserver and geowebcache relating to the spring files. At the moment we run geoserver 2.20.4 and geowebcache 1.20.3, but still getting these vulnerabilities.
Which versions of geoserver and geowebcache are CLEAN?
Please respect the project's responsible disclosure guide lines - if you have an urgent need to have fixes applied to the project then you should do it yourselves or contract with a commercial supplier to do it for you.
Disclosure: I work for one of those suppliers.
Related
What is the correct way to solve this vulnerability? Should we upgrade version spring shell version to 5.2.20
I am using Spring Boot directly – upgrade to version 2.6.6
JFrog platform is not vulnerable to SpringShell CVE-2022-22965.
JFrog's Security Research team investigated and detailed their findings and remediation strategies in this blog, and introducing a new set of OSS tools to help developers address this latest threat.
The documents from JFrog, below should help you on this issue and remediation
https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/
https://jfrog.com/blog/springshell-remediation-cookbook/
Before the log4j shell issue happened last month I was using 'org.springframework.boot:spring-boot-starter-logging:1.5.22.RELEASE' which has internal dependencies on
ch.qos.logback:logback-classic:1.1.11 and ch.qos.logback:logback-core:1.1.11 jars respectively.
After that log4j shell issue occurred I had upgraded both the jars to version ch.qos.logback:logback-classic:1.2.3 and ch.qos.logback:logback-core:1.2.3 with gradle v3.5 which works fine. Now when I am trying to upgrade jars to logback-classic:1.2.10 and logback-core:1.2.10, this stops me while running the application stating below error:
org.gradle.tooling.BuildException: Could not execute build using Gradle distribution 'https://services.gradle.org/distributions/gradle-3.5-all.zip'.
Do I need to move to higher version of Grails or Gradle 3.5 have any issue with upgrade. Please any hint or guidance is most welcome.
From https://logback.qos.ch/news.html
We note that the vulnerability mentioned in CVE-2021-42550 requires
write access to logback's configuration file as a prerequisite. Please
understand that log4Shell and CVE-2021-42550 are of different severity
levels. In response to CVE-2021-42550 (aka LOGBACK-1591) we have
decided to make the following steps. 1) Hardened logback's JNDI lookup
mechanism to only honor requests in the java: namespace. All other
types of requests are ignored. Many thanks to Michael Osipov for
suggesting this change and providing the relvant PR. 2) SMTPAppender
was hardened. 3) Temporarily removed DB support for security reasons.
4) Removed Groovy configuration support. As logging is so
pervasive and configuration with Groovy is probably too powerful, this
feature is unlikely to be reinstated for security reasons. We note
that the aforementioned vulnerability requires write access to
logback's configuration file as a prerequisite. Please understand that
log4Shell/CVE-2021-44228 and CVE-2021-42550 are of different severity
levels. A successul RCE attack with CVE-2021-42550 requires all of the
following conditions to be met: write access to logback.xml use of
versions < 1.2.9 reloading of poisoned configuration data, which
implies application restart or scan="true" set prior to attack As an
additional extra precaution, in addition to upgrading to logback
version 1.2.9, we also recommend users to set their logback
configuration files as read-only
For now no support for grails so v1.2.9 onwards logback is not supported for now.
This is going to be a broad topic so please bear with me. So I build a microservices app started as a hobby and now in the few months I put into it I made something useful. So, far I used STS (spring tool) with maven and Eureka client.
I have an independent microservices talking to each other and a UI microservice that present the results to you. It's a single page app I will lay down the structure (GitHub repo also same) :
--my-app
--my-microservice-discovery
--my-microservice-domain (jdk12)
--my-microservice-searcher
--my-microservice-orchestrator
--my-microservice-ui
--my-transferobjects (common jar not microservice)
--pom.xml (my main module pom)
So, this is what I am dealing with in GitHub I made a single repository of my-app containing all these spring boot projects, in IDE everything works, now comes the deployment part on some cloud provider. I choose Heroku as I had some experience with it in the past but also because I cannot make this work with Google (although they have an attractive starter scheme going on right now). Connecting to a private GitHub repo from Google Cloud build is pain, but Heroku does this with style.
I decided to go command line because that's how I have to deal on the cloud and that's where all hell broke loose, I got lots of dependencies issues between the version of JDKs managed well by IDE but not defined correctly for maven yet.
I am still managed to make my local build success (command line) but I had to do some hard-code configuration to fix jdk12 for a my-microservice-domain pom like below and similar fix for my-transfer objects but because of the Lombok issue no idea why I have to provide jdk8 specifically for this project.
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>12</source>
<target>12</target>
<executable>/home/Downloads/jdk-12</executable>
</configuration>
</plugin>
</plugins>
</build>
My questions are as follows :
Do we have a toolchain example to handle this different JDK compilation issue plus do we always have to provide the JDK local installation path?
How to deploy this on Heroku, how it will know where is my jdk12 is, or just defining the source/target version in pom will do the trick on the cloud, also Heroku supports jdk12 or google cloud?
Is it a good idea to have multi-repo or single repo deployment I can still change but I like it this way.
I get it that I need to create docker images for each of my microservices, but someone has a tutorial to do so locally first, or some GitHub repo so that I can look some examples.
Once I add all those docer files in each microservice is this sufficient to deploy its production level? I read a lot about APIGateway, load balancer .. where they fit into my architecture.
I also use localhost everywhere for EurekaServer and Eureka/Feign client properties will it also work the same way on the cloud and Eureka server will be able to find all my services as it does locally with no config changes needed on cloud?
What is better Google cloud or Heroku, google cloud seems a bit of a hassle for now.
These are my worries please advise.
Ok I am going to answer my own question I did bit of reading and what #cool suggested above and I ended up going multiple repository way and I achieved what was needed.
I also chosen Heroku simply because the ease of things there felt like my local environment and such a simple app like mine on latest binaries has no problem whatsoever.
I followed few links for setting up my Eureka server and client and Procfile and some environment variable direcrlt from your Apps settting page from dashboard.
Needless to say I also maintained multiple profiles (dev,prod,test) and for ui I use vaadin hence some additional step needed in your UI app pom.xml for production.
I am bit of concerned with the way my services were terminated of no activity on heroku plus right now the issue with services discovery among each other. So my eureka server reports > all instances but they cannot contact each other.
Right now I am busy with other things [viz. fixing bugs] as launch is a month later. I will soon post a question about this ;).
My company's Sonatype scan shows Spring-Web is vulnerable even for the latest version (currently 5.2.3.RELEASE).
It reads:
"Found security vulnerability CVE-2016-1000027 with severity 9.8".
I noticed CVE-2016-1000027 is added to the NATIONAL VULNERABILITY DATABASE
on 01/02/2020, and it is in regards to
"Spring Framework 4.1.4 suffers from a potential remote code execution
(RCE) issue if used for Java deserialization of untrusted data".
Is this an obsolete ticket or has it not be resolved after 4 years?
This issue is resolved from a Spring Framework point of view, see my latest comment summarizing the situation on that issue. Your application is only vulnerable if you're using HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter and reading data from untrusted sources.
Deserializing Java code from untrusted sources is a well-known problem in Java (so, all Java applications and Frameworks!), and this feature might be removed in future Java versions.
Given the nature of this security problem (there's no way to "fix it" besides removing the classes, which will be done in the next major version of Spring Framework), contacting your vendor or your security team is the best course of action. The Spring team is happy to help the community with this matter by providing more context on that issue if needed.
Does anyone know what the state is of the Spring Integration Extensions at https://github.com/spring-projects/spring-integration-extensions ?
Some seem outdated with regards to Spring versions. And others, whilst updated, don't seem to have recent releases or snapshots available at http://repo.spring.io/libs-snapshot/org/springframework/integration/ .
For example I wanted to integrate with AWS, but cant find a release or snapshot for the latest version of Spring Integration. And SQS support has been "coming soon" for some time.
The outdatedness of those that do exist, and lack of clarity on what is intended, make me concerned to use any of them. Does anyone know what the Spring team's intention is with regards to the release cycle of these extensions? Are they viewed as incubators that will eventually move into Spring Integration core, or something else?
Cheers,
Menno
Spring Integration extensions are community provided, and they will constantly change according to the will of the community. Your best chance is to get in touch with the contributors of the AWS extension.
You should use them, once you understand what they are doing, there are no more guarantees than other Spring projects, only the fact that others are also using it.