Skip to content

[owasp] add suppression for Kotlin stdlib CVE-2022-24329 #14629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 1 commit into from
Mar 10, 2022
Merged

[owasp] add suppression for Kotlin stdlib CVE-2022-24329 #14629

lhotari merged 1 commit into from
Mar 10, 2022

Conversation

@nicoloboschi
Copy link
Contributor

@nicoloboschi nicoloboschi commented Mar 9, 2022
edited
Loading

Follow-up of #14579.

Motivation

OWASP checker reports this vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
for Kotlin < 1.6.x

Currently we import Kotlin 1.4.32 from OkHttp3 (see #13065).
CVE-2022-24329 is rated as mid CVSS level (5.0).
Kotlin is used only by the Kubernetes client runtime lib.

Given that:

  • Pulsar codebase doesn't have a good test coverage for the K8S client
  • The vulnerability is mid level
  • The vulnerability doesn't look relevant for Pulsar

It's safer to add the suppression instead of upgrading it without testing it.

Modifications

  • Add the supression for Kotlin 1.4.32 for the cve CVE-2022-24329

  • no-need-doc

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 9, 2022
@nicoloboschi
Copy link
Contributor Author

nicoloboschi commented Mar 9, 2022

need to be cherry-picked to 2.9 as well https://github.com/apache/pulsar/runs/5473308768?check_suite_focus=true

@nicoloboschi nicoloboschi changed the title [owasp] add suppressions for Kotlin stdlib CVE-2022-24329 [owasp] add suppression for Kotlin stdlib CVE-2022-24329 Mar 9, 2022
@lhotari
Copy link
Member

lhotari commented Mar 9, 2022

/pulsarbot run-failure-checks

@lhotari lhotari merged commit 4910519 into apache:master Mar 10, 2022
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Mar 10, 2022
@nicoloboschi
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (apache#14629)
a3ddcee 
(cherry picked from commit 4910519)
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Mar 10, 2022
@nicoloboschi
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (apache#14629)
ce42334 
(cherry picked from commit 4910519)
@nicoloboschi nicoloboschi mentioned this pull request Mar 16, 2022
Merged
1 task
RobertIndie pushed a commit to RobertIndie/pulsar that referenced this pull request Mar 28, 2022
@nicoloboschi @RobertIndie
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (apache#14629)
f99db09 
(cherry picked from commit 4910519)
Nicklee007 pushed a commit to Nicklee007/pulsar that referenced this pull request Apr 20, 2022
@nicoloboschi
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (apache#14629)
9a3a125
nicoloboschi added a commit to datastax/pulsar that referenced this pull request May 5, 2022
@nicoloboschi
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (apache#14629)
0cab7ba 
(cherry picked from commit 4910519)
@mattisonchao
Copy link
Member

mattisonchao commented May 24, 2022

Hi @nicoloboschi Would you mind cherry-pick this PR to branch-2.9?

@nicoloboschi nicoloboschi deleted the suppress-kotlin-owasp branch May 24, 2022 08:02
nicoloboschi added a commit that referenced this pull request May 24, 2022
@nicoloboschi
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (#14629)
4be6eee 
(cherry picked from commit 4910519)
nicoloboschi added a commit that referenced this pull request May 24, 2022
@nicoloboschi
[owasp] add suppressions for Kotlin stdlib CVE-2022-24329 (#14629)
55be557 
(cherry picked from commit 4910519)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

@nodece nodece nodece approved these changes

Assignees

@nicoloboschi nicoloboschi

Labels

cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs release/2.9.3 release/2.10.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nicoloboschi @lhotari @mattisonchao @nodece