[CVE BUG] Transitive CVE is introduced via Java SDK
msmygit opened this issue · 6 comments
msmygit commented
CVE-2023-3635 7.5 Incorrect Conversion between Numeric Types vulnerability with High severity found
Today, when someone adds the milvus Java SDK, a transitive CVE is injected into the project. See below,
Version impacted,
<dependency>
<groupId>io.milvus</groupId>
<artifactId>milvus-sdk-java</artifactId>
<version>2.3.4</version>
</dependency>
xiaofan-luan commented
/assign @lentitude2tk
could you take a look on it?
yhmo commented
The CVE-2023-3635 is caused by okio, which is included by minio-java. minio-java is imported for BlukWriter.
+- io.minio:minio:jar:8.2.1:compile
| +- com.carrotsearch.thirdparty:simple-xml-safe:jar:2.7.1:compile
| +- (com.google.guava:guava:jar:29.0-jre:compile - omitted for conflict with 32.0.1-android)
| +- com.squareup.okhttp3:okhttp:jar:4.8.1:compile
| | +- com.squareup.okio:okio:jar:2.7.0:compile
CVE-2023-3635 is fixed in okio 3.4.0: square/okio#1280
The minio-java 8.5.7 fixed this issue by upgrading the okhttp from 4.11 to 4.12: https://github.com/minio/minio-java/releases/tag/8.5.7
yhmo commented
Get new error after upgrading minio-java to 8.5.7, not sure the root cause.
[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO] ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin
[INFO] ------------------------------------------------------------------------
[INFO] Detecting the operating system and CPU architecture
[INFO] ------------------------------------------------------------------------
[INFO] os.detected.name: linux
[INFO] os.detected.arch: x86_64
[INFO] os.detected.version: 5.4
[INFO] os.detected.version.major: 5
[INFO] os.detected.version.minor: 4
[INFO] os.detected.release: ubuntu
[INFO] os.detected.release.version: 20.04
[INFO] os.detected.release.like.ubuntu: true
[INFO] os.detected.release.like.debian: true
[INFO] os.detected.classifier: linux-x86_64
[INFO]
[INFO] ---------------------< io.milvus:milvus-sdk-java >----------------------
[INFO] Building io.milvus:milvus-sdk-java 2.4.0
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- enforcer:3.0.0-M2:enforce (enforce) @ milvus-sdk-java ---
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for com.google.guava:guava:32.0.1-android paths to dependency are:
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-netty-shaded:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-protobuf:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-stub:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.minio:minio:8.5.7
+-com.google.guava:guava:32.1.3-jre
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-netty-shaded:1.59.1
+-io.grpc:grpc-core:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-protobuf:1.59.1
+-io.grpc:grpc-api:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-protobuf:1.59.1
+-io.grpc:grpc-protobuf-lite:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.grpc:grpc-testing:1.59.1
+-io.grpc:grpc-inprocess:1.59.1
+-com.google.guava:guava:32.0.1-android
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-common:2.6.0
+-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-hdfs:2.6.0
+-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-yarn-api:2.6.0
+-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-common:2.6.0
+-org.apache.curator:curator-client:2.6.0
+-com.google.guava:guava:16.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-common:2.6.0
+-org.apache.curator:curator-recipes:2.6.0
+-com.google.guava:guava:16.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-common:2.6.0
+-org.htrace:htrace-core:3.0.4
+-com.google.guava:guava:12.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-mapreduce-client-core:2.6.0
+-org.apache.hadoop:hadoop-yarn-common:2.6.0
+-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-common:2.6.0
+-org.apache.hadoop:hadoop-auth:2.6.0
+-org.apache.curator:curator-framework:2.6.0
+-com.google.guava:guava:16.0.1
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-mapreduce-client-app:2.6.0
+-org.apache.hadoop:hadoop-mapreduce-client-common:2.6.0
+-org.apache.hadoop:hadoop-yarn-client:2.6.0
+-com.google.guava:guava:11.0.2
and
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.hadoop:hadoop-client:2.6.0
+-org.apache.hadoop:hadoop-mapreduce-client-app:2.6.0
+-org.apache.hadoop:hadoop-mapreduce-client-common:2.6.0
+-org.apache.hadoop:hadoop-yarn-server-common:2.6.0
+-com.google.guava:guava:11.0.2
,
Require upper bound dependencies error for com.squareup.okhttp3:okhttp:4.10.0 paths to dependency are:
+-io.milvus:milvus-sdk-java:2.4.0
+-com.squareup.okhttp3:okhttp:4.10.0
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.minio:minio:8.5.7
+-com.squareup.okhttp3:okhttp:4.12.0
,
Require upper bound dependencies error for org.xerial.snappy:snappy-java:1.1.8.3 paths to dependency are:
+-io.milvus:milvus-sdk-java:2.4.0
+-org.apache.parquet:parquet-hadoop:1.13.1
+-org.xerial.snappy:snappy-java:1.1.8.3
and
+-io.milvus:milvus-sdk-java:2.4.0
+-io.minio:minio:8.5.7
+-org.xerial.snappy:snappy-java:1.1.10.5
]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.537 s
[INFO] Finished at: 2024-03-25T18:39:33+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M2:enforce (enforce) on project milvus-sdk-java: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Process finished with exit code 1
lentitude2tk commented
@yhmo I'll handle it
lentitude2tk commented
lentitude2tk commented