Discussion:
Security vulnerabilities in Axis2 dependencies? "tribes" & "juli" JAR files
axis2user82
2018-08-06 10:13:47 UTC
Permalink
Hi

Sorry if you are getting this mail twice, but I sent it before having
finished subscribing, so I was unsure if it reached the list.

We have recently integrated the OWASP Dependency Checker into our CI-setup,
and it has flagged two libraries as potentially problematic (i.e. affected
by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out
those are actually dependencies for Axis2. Both JAR files seem to be part
of Tomcat 6. Question is, how should we react to this finding? Are the
CVE's for those libraries not relevant when used in the context of Axis2,
since they haven't been updated(the latest version of Axis2 still ships
those versions)?

Thanks!

BR, Martin

---

Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence Evidence
Count

tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓
High 66 Highest 18


juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓
High 66 Highest 16
Andreas Veithen
2018-08-06 12:11:45 UTC
Permalink
These libraries are dependencies of axis2-clustering. Are you using
the clustering support?

Andreas
Hi
Sorry if you are getting this mail twice, but I sent it before having finished subscribing, so I was unsure if it reached the list.
We have recently integrated the OWASP Dependency Checker into our CI-setup, and it has flagged two libraries as potentially problematic (i.e. affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out those are actually dependencies for Axis2. Both JAR files seem to be part of Tomcat 6. Question is, how should we react to this finding? Are the CVE's for those libraries not relevant when used in the context of Axis2, since they haven't been updated(the latest version of Axis2 still ships those versions)?
Thanks!
BR, Martin
---
Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence Evidence Count
tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓ High 66 Highest 18
juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ High 66 Highest 16
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-***@axis.apache.org
For additional commands, e-mail: java-user-***@axis.apache.org
Martin H
2018-08-06 12:21:46 UTC
Permalink
Hi Andreas

I don't think so - we have a load balancer (Netscaler) in front of the
solution that handles the distribution to the nodes running the application
which uses Axis2. But no clustering/load-balancing that Axis2 is aware of.
Is there a way to determine for sure if it is enabled/disabled?

Assuming we don't use clustering support:

1) Is it safe to remove those JAR files from the classpath if we don't use
clustering support?
2) Will the files pose a threat if on the classpath even with clustering
support disabled?

I guess with respect #2 the safest thing to omit the JAR's altogether
because some vulns can be triggered just by having the code on the
classpath (i.e. deserialization etc.).

Br, Martin

BR, Martin
Post by Andreas Veithen
These libraries are dependencies of axis2-clustering. Are you using
the clustering support?
Andreas
Post by axis2user82
Hi
Sorry if you are getting this mail twice, but I sent it before having
finished subscribing, so I was unsure if it reached the list.
Post by axis2user82
We have recently integrated the OWASP Dependency Checker into our
CI-setup, and it has flagged two libraries as potentially problematic (i.e.
affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It
turns out those are actually dependencies for Axis2. Both JAR files seem to
be part of Tomcat 6. Question is, how should we react to this finding? Are
the CVE's for those libraries not relevant when used in the context of
Axis2, since they haven't been updated(the latest version of Axis2 still
ships those versions)?
Post by axis2user82
Thanks!
BR, Martin
---
Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence
Evidence Count
Post by axis2user82
tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16
✓ High 66 Highest 18
Post by axis2user82
juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16
✓ High 66 Highest 16
---------------------------------------------------------------------
Andreas Veithen
2018-08-06 13:16:28 UTC
Permalink
Post by Martin H
Hi Andreas
I don't think so - we have a load balancer (Netscaler) in front of the solution that handles the distribution to the nodes running the application which uses Axis2. But no clustering/load-balancing that Axis2 is aware of. Is there a way to determine for sure if it is enabled/disabled?
I think the way to check that is to look for a <cluster> element in axis2.xml.
Post by Martin H
1) Is it safe to remove those JAR files from the classpath if we don't use clustering support?
Yes.
Post by Martin H
2) Will the files pose a threat if on the classpath even with clustering support disabled?
Unlikely, but better to remove them.
Post by Martin H
I guess with respect #2 the safest thing to omit the JAR's altogether because some vulns can be triggered just by having the code on the classpath (i.e. deserialization etc.).
Br, Martin
BR, Martin
Post by Andreas Veithen
These libraries are dependencies of axis2-clustering. Are you using
the clustering support?
Andreas
Hi
Sorry if you are getting this mail twice, but I sent it before having finished subscribing, so I was unsure if it reached the list.
We have recently integrated the OWASP Dependency Checker into our CI-setup, and it has flagged two libraries as potentially problematic (i.e. affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out those are actually dependencies for Axis2. Both JAR files seem to be part of Tomcat 6. Question is, how should we react to this finding? Are the CVE's for those libraries not relevant when used in the context of Axis2, since they haven't been updated(the latest version of Axis2 still ships those versions)?
Thanks!
BR, Martin
---
Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence Evidence Count
tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓ High 66 Highest 18
juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16
cpe:/a:apache_software_foundation:tomcat:6.0.16
cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ High 66 Highest 16
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-***@axis.apache.org
For additional commands, e-mail: java-user-***@axis.apache.org

Loading...