[prev in list] [next in list] [prev in thread] [next in thread]
List: axis-user-ja
Subject: Re: what will be 1.8.0 from git clone has several CVEs including one from ant-plugin
From: Andreas Veithen-Knowles <andreas.veithen () gmail ! com>
Date: 2021-03-13 21:22:38
Message-ID: CADx4_uWtu3-B15t968p3M6BRdGWJU_2F7e+9z9+wcX8iyTxNFA () mail ! gmail ! com
[Download RAW message or body]
Sorry to say it bluntly, but I think this means that the tool you are using
is completely braindead. It sees "ant" and "1.8.0" in the JAR file name and
believes the artifact is Ant 1.8.0 [1]. Same for
taglibs-standard-impl-1.2.5.jar: it sees "tag" and "1.2.5" and then spits
out CVEs for https://github.com/dhowden/tag, which is a completely
unrelated project. I find it shocking what kind of stuff so called
"security" companies nowadays try to make money with.
Andreas
[1] The actual Maven module depends on Ant 1.10. Even if it did depend on
Ant 1.8, that wouldn't make it vulnerable, because it's a **plugin** for
Ant. The vulnerability is in Ant itself, so what matters is which Ant
version the user is running.
On Thu, Mar 11, 2021 at 10:53 AM Andrew Marlow <marlow.agents@gmail.com>
wrote:
> Hello everyone,
>
> When I build axis2 as root the build now completes ok (avoiding that
> strange permission denied problem). So I am now able to do a full owasp and
> maven dependency tree analysis. I am pleased to say that this shows that
> the CVEs from tomcat 6 are gone, since it now depends on tomcat 10. Great!
> However, the dependency on the ant-plugin seems to have crept back in.
> Below are the CVEs reported by owasp:
>
> axis2-ant-plugin-1.8.0-SNAPSHOT.jar
> (pkg:maven/org.apache.axis2/axis2-ant-plugin@1.8.0-SNAPSHOT,
> cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945
> axis2.war: taglibs-standard-impl-1.2.5.jar
> (pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
> cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
> cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
> CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
> axis2-xmlbeans-1.8.0-SNAPSHOT.jar
> (pkg:maven/org.apache.axis2/axis2-xmlbeans@1.8.0-SNAPSHOT,
> cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
> axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar
> (pkg:maven/org.apache.axis2/axis2-xmlbeans-codegen@1.8.0-SNAPSHOT,
> cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
> commons-httpclient-3.1.jar
> (pkg:maven/commons-httpclient/commons-httpclient@3.1,
> cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956
> failureaccess-1.0.1.jar (pkg:maven/com.google.guava/failureaccess@1.0.1,
> cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908
> org.eclipse.ui.ide-3.17.100.v20200530-0835.jar
> (pkg:maven/osgi.bundle/org.eclipse.ui.ide@3.17.100.v20200530-0835,
> cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*,
> cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271
> org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar
> (pkg:maven/osgi.bundle/org.eclipse.ui.workbench@3.119.0.v20200521-1247,
> cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) :
> CVE-2008-7271
> taglibs-standard-impl-1.2.5.jar
> (pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
> cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
> cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
> CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
> xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0,
> cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926
>
> --
> Regards,
>
> Andrew Marlow
> http://www.andrewpetermarlow.co.uk
>
>
[Attachment #3 (text/html)]
<div dir="ltr"><div>Sorry to say it bluntly, but I think this means that the tool you \
are using is completely braindead. It sees "ant" and "1.8.0" in \
the JAR file name and believes the artifact is Ant 1.8.0 [1]. Same for \
taglibs-standard-impl-1.2.5.jar: it sees "tag" and "1.2.5" and \
then spits out CVEs for <a \
href="https://github.com/dhowden/tag">https://github.com/dhowden/tag</a>, which is a \
completely unrelated project. I find it shocking what kind of stuff so called \
"security" companies nowadays try to make money \
with.</div><div><br></div><div>Andreas</div><div><br></div><div>[1] The actual Maven \
module depends on Ant 1.10. Even if it did depend on Ant 1.8, that wouldn't make \
it vulnerable, because it's a **plugin** for Ant. The vulnerability is in Ant \
itself, so what matters is which Ant version the user is running.</div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 11, 2021 at 10:53 \
AM Andrew Marlow <<a \
href="mailto:marlow.agents@gmail.com">marlow.agents@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div>Hello everyone,</div><div><br></div><div>When I build axis2 as root \
the build now completes ok (avoiding that strange permission denied problem). So I am \
now able to do a full owasp and maven dependency tree analysis. I am pleased to say \
that this shows that the CVEs from tomcat 6 are gone, since it now depends on tomcat \
10. Great! However, the dependency on the ant-plugin seems to have crept back in. \
Below are the CVEs reported by \
owasp:</div><div><br></div><div>axis2-ant-plugin-1.8.0-SNAPSHOT.jar \
(pkg:maven/org.apache.axis2/axis2-ant-plugin@1.8.0-SNAPSHOT, \
cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) \
: CVE-2020-1945<br>axis2.war: taglibs-standard-impl-1.2.5.jar \
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5, \
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, \
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, \
CVE-2020-29244, CVE-2020-29245<br>axis2-xmlbeans-1.8.0-SNAPSHOT.jar \
(pkg:maven/org.apache.axis2/axis2-xmlbeans@1.8.0-SNAPSHOT, \
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, \
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : \
CVE-2021-23926<br>axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar \
(pkg:maven/org.apache.axis2/axis2-xmlbeans-codegen@1.8.0-SNAPSHOT, \
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, \
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : \
CVE-2021-23926<br>commons-httpclient-3.1.jar \
(pkg:maven/commons-httpclient/commons-httpclient@3.1, \
cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*, \
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : \
CVE-2020-13956<br>failureaccess-1.0.1.jar \
(pkg:maven/com.google.guava/failureaccess@1.0.1, \
cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : \
CVE-2020-8908<br>org.eclipse.ui.ide-3.17.100.v20200530-0835.jar \
(pkg:maven/osgi.bundle/org.eclipse.ui.ide@3.17.100.v20200530-0835, \
cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*, \
cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : \
CVE-2008-7271<br>org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar \
(pkg:maven/osgi.bundle/org.eclipse.ui.workbench@3.119.0.v20200521-1247, \
cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) : \
CVE-2008-7271<br>taglibs-standard-impl-1.2.5.jar \
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5, \
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, \
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, \
CVE-2020-29244, CVE-2020-29245<br>xmlbeans-2.6.0.jar \
(pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0, \
cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926<br></div><div><br>-- \
<br><div dir="ltr">Regards,<br><br>Andrew Marlow<br><a \
href="http://www.andrewpetermarlow.co.uk" \
target="_blank">http://www.andrewpetermarlow.co.uk</a><br><br></div></div></div> \
</blockquote></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic