snowflakedb/snowflake-jdbc

SNOW-1304351: The `threetenbp` package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception

Closed this issue · 2 comments

cheevo commented

Explanation: The threetenbp package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception. The TZDB.dat file included with this package contains corrupted timezone information. Consequently, when parsed by DateTimeFormatterBuilder, this package may yield uncaught exceptions. A remote attacker who can cause this package to parse certain crafted inputs can exploit this vulnerability to crash affected applications.
Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Issue
sonatype-2024-0639
Source
Sonatype Data Research
SONATYPE Threat Level
7
CVE CWE
394
CWE URL
https://cwe.mitre.org/data/definitions/394.html
CVE URL
https://sonatype.fiserv.one/ui/links/vln/sonatype-2024-0639
CVE CVSS 3.0
Not Set
CVE CVSS 2.0
Not Set
SONATYPE CVSS 3.0
7.5

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

  1. What version of JDBC driver are you using? 3.15.0

  2. What operating system and processor architecture are you using? Linux

  3. What version of Java are you using?11

  4. What did you do?

    Fortify code scan

  5. What did you expect to see?
    No high security vulnerabilities

  6. Can you set logging to DEBUG and collect the logs?

N/a

  1. What is your Snowflake account identifier, if any? (Optional)
sfc-gh-sghosh commented

Hello @cheevo ,

Thanks for raising the issue, we are looking into it, will update.

Regards,
Sujan

sfc-gh-sghosh commented

Hello @cheevo ,

Update from threetenbp. The reported CVE are invalid, and no action is needed.

threetenbp provided the page about the CVE - ThreeTen/threetenbp@adcdbc4 and it's visible on their website https://www.threeten.org/threetenbp/security.html - for two reported CVEs they stated that

Users of ThreeTen-Backport do not need to take any action as the CVE is invalid.

So, closing this issue.

Regards,
Sujan