[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: thredds 4.6.10



Greetings Georgi,

The following PR:

https://github.com/Unidata/thredds/pull/954

addresses the outstanding github issues relating to open CVEs. I'll let you know when it gets into the master branch, and I can point you to a snapshot for testing.

Cheers!

Sean


On Wed, Nov 15, 2017 at 1:00 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Great - many thanks in advance, Sean!

Looking forward to 4.6.11,

Georgi


On Wed, Nov 15, 2017 at 2:54 PM, Sean Arms <address@hidden> wrote:
Greetings Georgi,

I'm digging into those at the moment. Hopefully I will find a fix, and, if so, it will be in the 4.6.11 release. However, I am surprised these, and a few others that have been fixed, are not in the 4.6.8 release. I'll keep you informed as things progress.

Cheers,

Sean


On Wed, Nov 15, 2017 at 9:44 AM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Sean, and all,

Looks like 865 and 866 were closed but the other three are still open: 864, 867 and 868.
Is there any change?

We have stayed with 4.6.8 and avoided 4.6.10 because of these vulnerabilities.  Do you guys have plans to issue fixes in a 4.6.11 since that is the supported release?

TIA,
Georgi


On Wed, Jun 21, 2017 at 12:03 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:

IHTH, and please add the fixes to the current stable release (4.6.x).

Many thanks for your good work!

Georgi


On Sat, Jun 17, 2017 at 9:20 AM, Sean Arms <address@hidden> wrote:
Thanks for the report, Georgi!

It looks like ncwms and godiva are pulling most of these (all the
_javascript_ libs, and the jstl lib) - I'll take a look and see what I
can do there.

I was able to update the log4j lib without issue, so we're good there.

The jackson-core and jackson-annotations are being pulled in by the
amazon aws-sdk lib. According to their github site, these hits were
false positives:

https://github.com/aws/aws-sdk-java/issues/801

so I'm not sure there is anything to be done there.

I'll keep in touch about how the ncwms / godiva upgrades go.

Sean


On Fri, Jun 16, 2017 at 4:46 PM, Georgi Kostov - NOAA Affiliate
<address@hidden> wrote:
> Sean, Dennis and Christian,
>
> Thank you for fixing (most of) the previous vulnerabilities!
>
> We have done another scan - this time of thredds 4.6.10, and I am enclosing
> a brief version of the findings - mostly pertaining to critical and high
> vulnerabilities.  I am not enclosing any info about vulnerabilities ranked
> below those two levels.
>
> Please let me know what you find out and I hope that you'd be able to
> incorporate fixes into the 4.6, it being the current stable release.
>
> Many thanks for your attention to this important finding,
> Georgi
>
> ---------- Forwarded message ----------
>
> ...see results of the code analysis, including the Critical code injection
> vulnerability (related to prototype.js) and some others.
>
> Additionally, the following are some results from other scans and
> inspections:
>
> ----_javascript_ Libraries----
>
> /godiva2/js/OpenLayers-2.10.js
> ↳ prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>
> /home/appsec/static/thredds/the-war-file/godiva2/js/OpenLayers-2.8.js
> ↳ prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>
> /home/appsec/static/thredds/the-war-file/js/lib/jquery-1.7.2.min.js
> ↳ jquery 1.7.2.min has known vulnerabilities: severity: medium; bug: 11290,
> summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>
> I can tell you that jQuery 1.x and 2.x are end of life and no longer
> receiving any security updates, so the only way forward on that is to move
> to the 3.x series.
>
> ----Java Libraries----
>
> jackson-annotations-2.6.0.jar
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051 - High
> https://nvd.nist.gov/vuln/detail/CVE-2016-3720 - Critical
>
>
> jackson-core-2.6.6.jar
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051 - High
> https://nvd.nist.gov/vuln/detail/CVE-2016-3720 - Critical
>
>
> jstl-1.2.jar
> https://nvd.nist.gov/vuln/detail/CVE-2015-0254 - High
>
>
> log4j-core-2.7.jar
> https://nvd.nist.gov/vuln/detail/CVE-2017-5645 - Critical
>
>
> --
> Georgi Kostov
> Team ERT (Earth Resources Technology, Inc.), US Government Contractor
> Data Access Branch, NOMADS/NCMA Team | NOAA Mail code E/NE54
> NOAA's National Centers for Environmental Information (NCEI)
> 151 Patton Ave., Suite 420, Asheville, NC 28801-5001
> address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/
> GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1
> E2BD 9A06
>
> Follow NCEI on Facebook and Twitter
>
> The contents of this message are mine personally and do not necessarily
> reflect any position of NOAA or STG. This electronic transmission contains
> information that may be internal use only, confidential, or proprietary.  If
> you are not the intended recipient, be aware that any disclosure, copying,
> distribution or use of the contents hereof is strictly prohibited.  If you
> have received this transmission in error, please notify
> address@hidden



--
Georgi Kostov
Team ERT (Earth Resources Technology, Inc.), US Government Contractor
Data Access Branch, NOMADS/NCMA Team
| NOAA Mail code E/NE54
NOAA's National Centers for Environmental Information (NCEI)
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/ 
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI on 
Facebook and Twitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or STG. This electronic transmission contains information that may be internal use only, confidential, or proprietary.  If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited.  If you have received this transmission in error, please notify address@hidden 



--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/ 
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI on 
Facebook and Twitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary.  If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited.  Please notify me If you have received this transmission in error.




--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/ 
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI on 
Facebook and Twitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary.  If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited.  Please notify me If you have received this transmission in error.