[CVE BUG] Transitive CVE is introduced via Java SDK

Question

[CVE BUG] Transitive CVE is introduced via Java SDK

msmygit opened this issue 6 months ago · 6 comments

CVE-2023-3635 7.5 Incorrect Conversion between Numeric Types vulnerability with High severity found

Today, when someone adds the milvus Java SDK, a transitive CVE is injected into the project. See below,

Version impacted,

        <dependency>
            <groupId>io.milvus</groupId>
            <artifactId>milvus-sdk-java</artifactId>
            <version>2.3.4</version>
        </dependency>

Answer 1 · 2024-03-22T20:56:59.000Z

/assign @lentitude2tk
could you take a look on it?

Answer 2 · 2024-03-25T08:15:42.000Z

The CVE-2023-3635 is caused by okio, which is included by minio-java. minio-java is imported for BlukWriter.

+- io.minio:minio:jar:8.2.1:compile
|  +- com.carrotsearch.thirdparty:simple-xml-safe:jar:2.7.1:compile
|  +- (com.google.guava:guava:jar:29.0-jre:compile - omitted for conflict with 32.0.1-android)
|  +- com.squareup.okhttp3:okhttp:jar:4.8.1:compile
|  |  +- com.squareup.okio:okio:jar:2.7.0:compile

CVE-2023-3635 is fixed in okio 3.4.0: square/okio#1280

The minio-java 8.5.7 fixed this issue by upgrading the okhttp from 4.11 to 4.12: https://github.com/minio/minio-java/releases/tag/8.5.7

Answer 3 · 2024-03-25T10:42:37.000Z

Get new error after upgrading minio-java to 8.5.7, not sure the root cause.


[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin
[INFO] ------------------------------------------------------------------------
[INFO] Detecting the operating system and CPU architecture
[INFO] ------------------------------------------------------------------------
[INFO] os.detected.name: linux
[INFO] os.detected.arch: x86_64
[INFO] os.detected.version: 5.4
[INFO] os.detected.version.major: 5
[INFO] os.detected.version.minor: 4
[INFO] os.detected.release: ubuntu
[INFO] os.detected.release.version: 20.04
[INFO] os.detected.release.like.ubuntu: true
[INFO] os.detected.release.like.debian: true
[INFO] os.detected.classifier: linux-x86_64
[INFO] 
[INFO] ---------------------< io.milvus:milvus-sdk-java >----------------------
[INFO] Building io.milvus:milvus-sdk-java 2.4.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- enforcer:3.0.0-M2:enforce (enforce) @ milvus-sdk-java ---
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for com.google.guava:guava:32.0.1-android paths to dependency are:
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-netty-shaded:1.59.1
    +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-protobuf:1.59.1
    +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-stub:1.59.1
    +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.minio:minio:8.5.7
    +-com.google.guava:guava:32.1.3-jre
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-netty-shaded:1.59.1
    +-io.grpc:grpc-core:1.59.1
      +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-protobuf:1.59.1
    +-io.grpc:grpc-api:1.59.1
      +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-protobuf:1.59.1
    +-io.grpc:grpc-protobuf-lite:1.59.1
      +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.grpc:grpc-testing:1.59.1
    +-io.grpc:grpc-inprocess:1.59.1
      +-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-common:2.6.0
      +-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-hdfs:2.6.0
      +-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-yarn-api:2.6.0
      +-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-common:2.6.0
      +-org.apache.curator:curator-client:2.6.0
        +-com.google.guava:guava:16.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-common:2.6.0
      +-org.apache.curator:curator-recipes:2.6.0
        +-com.google.guava:guava:16.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-common:2.6.0
      +-org.htrace:htrace-core:3.0.4
        +-com.google.guava:guava:12.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-mapreduce-client-core:2.6.0
      +-org.apache.hadoop:hadoop-yarn-common:2.6.0
        +-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-common:2.6.0
      +-org.apache.hadoop:hadoop-auth:2.6.0
        +-org.apache.curator:curator-framework:2.6.0
          +-com.google.guava:guava:16.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-mapreduce-client-app:2.6.0
      +-org.apache.hadoop:hadoop-mapreduce-client-common:2.6.0
        +-org.apache.hadoop:hadoop-yarn-client:2.6.0
          +-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.hadoop:hadoop-client:2.6.0
    +-org.apache.hadoop:hadoop-mapreduce-client-app:2.6.0
      +-org.apache.hadoop:hadoop-mapreduce-client-common:2.6.0
        +-org.apache.hadoop:hadoop-yarn-server-common:2.6.0
          +-com.google.guava:guava:11.0.2
, 
Require upper bound dependencies error for com.squareup.okhttp3:okhttp:4.10.0 paths to dependency are:
+-io.milvus:milvus-sdk-java:2.4.0
  +-com.squareup.okhttp3:okhttp:4.10.0
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.minio:minio:8.5.7
    +-com.squareup.okhttp3:okhttp:4.12.0
, 
Require upper bound dependencies error for org.xerial.snappy:snappy-java:1.1.8.3 paths to dependency are:
+-io.milvus:milvus-sdk-java:2.4.0
  +-org.apache.parquet:parquet-hadoop:1.13.1
    +-org.xerial.snappy:snappy-java:1.1.8.3
and
+-io.milvus:milvus-sdk-java:2.4.0
  +-io.minio:minio:8.5.7
    +-org.xerial.snappy:snappy-java:1.1.10.5
]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.537 s
[INFO] Finished at: 2024-03-25T18:39:33+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M2:enforce (enforce) on project milvus-sdk-java: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Process finished with exit code 1

Answer 4 · 2024-03-25T10:57:13.000Z

@yhmo I'll handle it

Answer 5 · 2024-03-25T11:40:57.000Z

@yhmo Could you please help review? I've completed the upgrade of the Minio Java version and resolved the conflicts arising from the upgrade.

#817
#818

Answer 6 · 2024-03-27T06:42:42.000Z

Has been done:
#817
#818