History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: QB-4083
Type: Bug Bug
Status: Open Open
Priority: Critical Critical
Assignee: Robin Shen
Reporter: U. Artie Eoff
Votes: 1
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
QuickBuild

CVE/GHSA vulnerability alerts

Created: 01/Apr/24 06:58 PM   Updated: 09/Apr/24 11:40 PM
Component/s: None
Affects Version/s: 14.0.7
Fix Version/s: None

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown
Environment: Linux


 Description  « Hide
Our security experts have flagged our usage of QuickBuild for having several Critical and High security alerts and are urging them to be fixed or stop using QuickBuild.

Could you take a look and fix them if possible, please?

Doing a simple scan with the grype tool (https://github.com/anchore/grype) of the quickbuild install directory yields the following security alerts for version 14.0.7:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
ant 1.9.3 1.10.9 java-archive GHSA-f62v-xpxf-3v68 High
ant 1.9.3 1.9.16 java-archive GHSA-q5r4-cfpx-h6fh Medium
ant 1.9.3 1.9.16 java-archive GHSA-5v34-g2px-j4fw Medium
ant 1.9.3 1.9.15 java-archive GHSA-4p6w-m9wc-c9c9 Medium
aws-java-sdk-s3 1.11.1034 1.12.261 java-archive GHSA-c28r-hw5m-5gv3 High
axis 1.4 java-archive GHSA-rmqp-9w4c-gc7w Critical
axis 1.4 java-archive GHSA-h9gj-rqrw-x4fq High
axis 1.4 java-archive GHSA-r53v-vm87-f72c Medium
axis 1.4 java-archive GHSA-96jq-75wh-2658 Medium
axis 1.4 java-archive GHSA-55w9-c3g2-4rrh Medium
c3p0 0.9.2.1 0.9.5.3 java-archive GHSA-q485-j897-qc27 Critical
c3p0 0.9.2.1 0.9.5.4 java-archive GHSA-84p2-vf58-xhxv High
commons-beanutils 1.8.2 1.9.2 java-archive GHSA-p66x-2cv9-qq3v High
commons-beanutils 1.8.2 1.9.4 java-archive GHSA-6phf-73q6-gh87 High
commons-compress 1.4.1 1.21 java-archive GHSA-xqfj-vm6h-2x34 High
commons-compress 1.4.1 1.21 java-archive GHSA-mc84-pj99-q6hh High
commons-compress 1.4.1 1.21 java-archive GHSA-crv7-7245-f45f High
commons-compress 1.4.1 1.21 java-archive GHSA-7hfm-57qf-j43q High
commons-compress 1.4.1 1.26.0 java-archive GHSA-4g9r-vxhx-9pgx High
commons-compress 1.4.1 1.18 java-archive GHSA-hrmr-f5m6-m9pq Medium
commons-email 1.3.3 1.5 java-archive GHSA-v7cm-w955-pj6g High
commons-email 1.3.3 1.5 java-archive GHSA-p7vm-phxx-g722 High
commons-io 1.4 2.7 java-archive GHSA-gwrp-pvrq-jmwv Medium
commons-net 3.2 3.9.0 java-archive GHSA-cgp8-4m63-fhh5 Medium
google-oauth-client 1.31.5 1.33.3 java-archive GHSA-xh97-72ww-2w58 High
gson 2.8.0 2.8.9 java-archive GHSA-4jrv-ppp4-jm57 High
guava 13.0.1 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 13.0.1 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 13.0.1 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low
guava 20.0 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 20.0 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 20.0 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low
hibernate-core 4.3.11.Final 5.3.20.Final java-archive GHSA-j8jw-g6fq-mp7h High
hibernate-validator 5.2.2.Final 5.2.5.Final java-archive GHSA-xxgp-pcfc-3vgc High
jackson-databind 2.10.2 2.12.7.1 java-archive GHSA-rgv9-q543-rqg4 High
jackson-databind 2.10.2 2.12.7.1 java-archive GHSA-jjjh-jjxp-wpff High
jackson-databind 2.10.2 2.12.6.1 java-archive GHSA-57j2-w4cx-62h2 High
jackson-databind 2.10.2 2.12.6 java-archive GHSA-3x8x-79m2-3w2w High
jackson-databind 2.10.2 2.10.5.1 java-archive GHSA-288c-cq4h-88gq High
jdom 1.1 java-archive GHSA-2363-cqg2-863c High
jettison 1.1 1.5.2 java-archive GHSA-x27m-9w8j-5vcw High
jettison 1.1 1.5.4 java-archive GHSA-q6g2-g7f3-rr83 High
jettison 1.1 1.5.2 java-archive GHSA-grr4-wv38-f68w High
jettison 1.1 1.5.2 java-archive GHSA-7rf3-mqpx-h7xg High
jettison 1.1 1.5.1 java-archive GHSA-56h3-78gp-v83r Medium
jetty-http 9.4.46.v20220331 9.4.52 java-archive GHSA-hmr7-m48g-48f6 Medium
jetty-http 9.4.46.v20220331 9.4.47 java-archive GHSA-cj7v-27pg-wf7q Low
jetty-server 9.4.46.v20220331 9.4.51.v20230217 java-archive GHSA-qw69-rqj8-6qw8 Medium
jetty-server 9.4.46.v20220331 9.4.51.v20230217 java-archive GHSA-p26g-97m4-6q7c Low
jetty-servlets 9.4.46.v20220331 9.4.52 java-archive GHSA-3gh6-v5v9-6v9j Low
jetty-xml 9.4.46.v20220331 9.4.52 java-archive GHSA-58qw-p7qm-5rvh Low
json-smart 1.3.1 1.3.3 java-archive GHSA-fg2v-w576-w4v3 High
json-smart 1.3.1 2.4.9 java-archive GHSA-493p-pfq6-5258 High
json-smart 1.3.1 1.3.2 java-archive GHSA-v528-7hrm-frqp Medium
json-smart 2.3 2.4.9 java-archive GHSA-493p-pfq6-5258 High
json-smart 2.3 2.3.1 java-archive GHSA-v528-7hrm-frqp Medium
junit 4.10 4.13.1 java-archive GHSA-269g-pwp5-87pp Medium
log4j 1.2.15 java-archive GHSA-f7vh-qwp3-x37m Critical
log4j 1.2.15 java-archive GHSA-65fg-84f6-3jq3 Critical
log4j 1.2.15 java-archive GHSA-2qrg-x229-3v8q Critical
log4j 1.2.15 java-archive GHSA-w9p3-5cr8-m3jj High
log4j 1.2.15 java-archive GHSA-fp5r-v3w9-4333 High
nimbus-jose-jwt 9.5 9.37.2 java-archive GHSA-gvpg-vgmx-xg6w Medium
ognl 2.6.7 3.0.12 java-archive GHSA-383p-xqxx-rrmp Medium
okio 1.15.0 1.17.6 java-archive GHSA-w33c-445m-f8w7 Medium
quartz 1.8.3 2.3.2 java-archive GHSA-9qcf-c26r-x5rf Critical
snakeyaml 1.23 1.26 java-archive GHSA-rvwf-54qp-4r6v High
snakeyaml 1.23 2.0 java-archive GHSA-mjmj-j48q-9wg2 High
snakeyaml 1.23 1.31 java-archive GHSA-3mc7-4q67-w48m High
snakeyaml 1.23 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium
snakeyaml 1.23 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium
snakeyaml 1.23 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium
snakeyaml 1.23 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium
snakeyaml 1.23 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium
spring-beans 2.5.6 5.2.20.RELEASE java-archive GHSA-36p3-wjmg-h94x Critical
spring-beans 2.5.6 5.2.22.RELEASE java-archive GHSA-hh26-6xwr-ggv7 High
spring-context 2.5.6 5.2.21 java-archive GHSA-g5mm-vmx4-3rg7 High
spring-core 2.5.6.SEC01 4.3.16 java-archive GHSA-p5hg-3xm3-gcjg Critical
spring-core 2.5.6.SEC01 4.3.16 java-archive GHSA-3rmv-2pg5-xvqj Critical
spring-core 2.5.6.SEC01 2.5.6.SEC03 java-archive GHSA-wv88-pf73-x22p High
spring-core 2.5.6.SEC01 3.2.15 java-archive GHSA-pgf9-h69p-pcgf High
spring-core 2.5.6.SEC01 4.3.20 java-archive GHSA-ffvq-7w96-97p7 High
spring-core 2.5.6.SEC01 4.3.1 java-archive GHSA-8crv-49fr-2h6j High
spring-core 2.5.6.SEC01 4.3.15 java-archive GHSA-4487-x383-qpph High
spring-core 2.5.6.SEC01 4.3.17 java-archive GHSA-rcpf-vj53-7h2m Medium
spring-core 2.5.6.SEC01 4.3.15 java-archive GHSA-g8hw-794c-4j9g Medium
velocity 1.7 java-archive GHSA-59j4-wjwp-mw9m High
velocity-tools 2.0 java-archive GHSA-fh63-4r66-jc7v Medium
wicket-core 1.5.0 1.5.12 java-archive GHSA-q7wx-mhx4-jr8q High
wicket-core 1.5.0 7.18.0 java-archive GHSA-hmhg-95wh-r699 High
wicket-core 1.5.0 7.17.0 java-archive GHSA-64gv-3pqv-299h High
xmlrpc-common 3.1.3 java-archive GHSA-r2pg-w96p-pcpj Medium
xmlsec 2.1.4 2.1.7 java-archive GHSA-j8wc-gxx9-82hx High
xmlsec 2.1.4 2.2.6 java-archive GHSA-xfrj-6vvc-3xm2 Medium
xstream 1.3.1 1.4.11 java-archive GHSA-hf23-9pf7-388p Critical
xstream 1.3.1 1.4.7 java-archive GHSA-f554-x222-wgf7 Critical
xstream 1.3.1 1.4.18 java-archive GHSA-xw4p-crpj-vjx2 High
xstream 1.3.1 1.4.19 java-archive GHSA-rmr5-cpv2-vgjf High
xstream 1.3.1 1.4.9 java-archive GHSA-rgh3-987h-wpmw High
xstream 1.3.1 1.4.18 java-archive GHSA-qrx8-8545-4wg2 High
xstream 1.3.1 1.4.18 java-archive GHSA-p8pq-r894-fm8f High
xstream 1.3.1 1.4.14-jdk7 java-archive GHSA-mw36-7c6c-q4q2 High
xstream 1.3.1 1.4.18 java-archive GHSA-j9h8-phrw-h4fh High
xstream 1.3.1 1.4.20 java-archive GHSA-j563-grx4-pjpv High
xstream 1.3.1 1.4.18 java-archive GHSA-hph2-m3g5-xxv4 High
xstream 1.3.1 1.4.18 java-archive GHSA-h7v4-7xg3-hxcc High
xstream 1.3.1 1.4.18 java-archive GHSA-g5w6-mrj7-75h2 High
xstream 1.3.1 1.4.20 java-archive GHSA-f8cc-g7j8-xxpm High
xstream 1.3.1 1.4.18 java-archive GHSA-cxfm-5m4g-x7xp High
xstream 1.3.1 1.4.18 java-archive GHSA-8jrj-525p-826v High
xstream 1.3.1 1.4.10 java-archive GHSA-7hwc-46rm-65jh High
xstream 1.3.1 1.4.17 java-archive GHSA-7chv-rrw6-w6fc High
xstream 1.3.1 1.4.18 java-archive GHSA-6w62-hx7r-mw68 High
xstream 1.3.1 1.4.18 java-archive GHSA-64xx-cq4q-mf44 High
xstream 1.3.1 1.4.15 java-archive GHSA-4cch-wxpw-8p28 High
xstream 1.3.1 1.4.18 java-archive GHSA-3ccq-5vw3-2p6x High
xstream 1.3.1 1.4.18 java-archive GHSA-2q8x-2p7f-574v High
xstream 1.3.1 1.4.16 java-archive GHSA-2p3x-qw9c-25hh High
xstream 1.3.1 1.4.16 java-archive GHSA-qpfq-ph7r-qv6f Medium
xstream 1.3.1 1.4.15 java-archive GHSA-jfvx-7wrx-43fh Medium
xstream 1.3.1 1.4.16 java-archive GHSA-hwpc-8xqv-jvj4 Medium
xstream 1.3.1 1.4.16 java-archive GHSA-hvv8-336g-rx3m Medium
xstream 1.3.1 1.4.16 java-archive GHSA-hrcp-8f3q-4w2c Medium
xstream 1.3.1 1.4.16 java-archive GHSA-f6hm-88x3-mfjv Medium
xstream 1.3.1 1.4.16 java-archive GHSA-74cv-f58x-f9wf Medium
xstream 1.3.1 1.4.18 java-archive GHSA-6wf9-jmg9-vxcc Medium
xstream 1.3.1 1.4.16 java-archive GHSA-59jw-jqf4-3wq3 Medium
xstream 1.3.1 1.4.16 java-archive GHSA-56p8-3fh9-4cvq Medium
xstream 1.3.1 1.4.16 java-archive GHSA-4hrm-m67v-5cxr Medium
xstream 1.3.1 1.4.16 java-archive GHSA-43gc-mjxg-gvrq Medium



 All   Comments   Work Log   Change History      Sort Order:
Robin Shen [02/Apr/24 12:04 AM]
Most of the high and critical issues are related to read input from untrusted input which is not possible in QB. For instance, "https://github.com/advisories/GHSA-hf23-9pf7-388p" is about deseriazing from user supplied XML, and in QB only adminsitrator can do that when restore database from XML. Some other high severity issues are related to XSS attack, which is tolerable in QB as it should be used behind firewall in a trusted environment, with trusted users. For instance, QB users can commit code to get arbitrary logic being executed and this is evitable for every CI system running shell builds. Also QB users can run arbitrary scripts via scripting support, etc.

U. Artie Eoff [02/Apr/24 03:14 AM]
I see. So does that mean the flagged "java-archive" packages included in Quickbuild cannot be updated to the "Fixed-in" versions specified in the scan results?

U. Artie Eoff [02/Apr/24 03:17 AM]
... that is, if updated to "fixed-in" versions, would it break the functionality that you described?

Robin Shen [02/Apr/24 03:28 AM]
Yes, it may break QB functionalities (some code base is nearly 20 years). We'd rather not to upgrade unless absolutely necessary.

U. Artie Eoff [08/Apr/24 02:59 PM]
Unfortunately, our security team is going to force us to stop using QB if the following packages aren't patched to fix some critical vulnerabilities, citing that QB would be too insecure to use on a daily basis even in our secure environment. It would be unfortunate for us to have to stop using such a powerful, good CI platform such as QB... we have invested ~10 years using it already.

- c3p0
- commons-beanutils
- commons-compress
- commons-email
- gson 2.8.0
- hibernate-validator 5.2.2.Final
- jackson-databind 2.10.2
- jettison 1.1
- json-smart 2.3
- quartz 1.8.3
- snakeyaml 1.23
- spring_framework 2.5.6.SEC01
- wicket 1.5.0
- xmlsec-java 2.1.4
- xstream 1.3.1

Robin Shen [08/Apr/24 11:37 PM]
Sorry to hear this... I do understand your security team's concerns. We will try to upgrade these libraries. Since the change is big and may cause backward incompatiblities, we need to do that in the yearly big release which is planned early next year.

U. Artie Eoff [09/Apr/24 02:20 PM]
Thank you for your support. It is greatly appreciated! Looking forward to the next big release. In the meantime, we will discuss your commitment with our security team to try and work something out ;)

Robin Shen [09/Apr/24 11:40 PM]
We will try our best to upgrade outdated libraries, but it is not a commitment... due to long history of QB code base. Just hope that you can postpone the decision to next big release...