Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Partial false positive on CVE-2021-22696

See original GitHub issue

CPE pattern: cpe:2.3:a:apache:cxf:3.4.2:*:*:*:*:*:*:*
CVE number: CVE-2021-22696

This pattern rightly flags dependencies such as cxf-core and cxf-rt-*. However, it also flags cxf-xjc-*. In the latter case, it’s a false positive, since CVE-2021-22696 pertains to JWT tokens, and CXF XJC has to do with JAXB and Java code generation. The cxf-xjc-runtime dependency, for instance, contains nothing related to JWT tokens.

Additionally, there are also a number of dependencies in the group org.apache.cxf.xjcplugins that are used by Maven and Gradle plugins to generate sources when building the project, but are not themselves included in the build artifact. So regardless of whether they would have anything to do with JWT tokens (not as far as I can think of), they wouldn’t introduce any run-time vulnerabilities into the code, since they aren’t packaged with it.

It’s also worth noting that all CXF XJC dependencies (at least the ones being flagged) don’t have releases higher than 3.3.1, unlike cxf-core and cxf-rt-*, for which 3.4.3 versions were released last month, presumably to mitigate the aforementioned CVE.

I’m still a bit hesitant to advise a CPE-based suppression though, since I’m not sure if we can always assume that future cpe:2.3:a:apache:cxf CPEs will not be applicable to cxf-xjc-* going forward. But at least in the case of CVE-2021-22696, that strongly appears to be the case.

Issue Analytics

State:
Created 2 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

nhumblotcommented, Apr 8, 2021

Hello,

org.apache.cxf.xjc-utils:cxf-xjc-runtime doesn’t appear to be triggering the false positive either. I have no idea why.

A suppression rule already exists for this dependency. You can find it in dependency-check-core/src/main/resources/dependency-check-base-suppressions.xml.

<suppress base="true">
        <notes><![CDATA[
        false positives per issue #915
        ]]></notes>
        <gav regex="true">^org\.apache\.cxf\.xjc-utils:cxf-xjc-runtime:.*$</gav>
        <cpe>cpe:/a:apache:cxf</cpe>
    </suppress>

That’s why there is no vulnerability alert on this one. 🙂

0reactions

xardasoscommented, Nov 23, 2021

I wonder wheter this suppression should be extended to xjcplugins (org.apache.cxf.xjcplugins) as well. It looks like this is also part of XJC-Utils CXF-subproject https://cxf.apache.org/xjc-utils.html and as you mentioned the subproject should get its own CPE. What do you think?

Top Results From Across the Web

Spring Cloud Function Remote Code Execution - Vulners

n\nWe have also received some reports of false positive results from the remote check for CVE-2022-22965; a fix for this is expected in ......

QRadar APARs 101 - IBM

Large reference sets or small spillover caches on appliances can cause partial results to occur as the data resides outside of the ChainAppendCache...

False positive rapid COVID-19 test: Causes and accuracy

A false positive result is possible with a rapid COVID-19 test. It happens when a person does not have COVID-19 but still tests...

Apache : Security vulnerabilities - CVE Details

# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gai... 301 CVE‑2021‑29425 22 Dir. Trav. 2021‑04‑13 2022‑10‑27 5.8 None 302 CVE‑2021‑29262 522...

Search Results - CVE

If user provides fake length, that is greater than the real one, ... CVE-2021-22696, CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via ......