Skip to content

copernik-eu/vexation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
scripts
scripts
 
 
vdr
vdr
 
 
vex
vex
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.adoc
README.adoc
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Example of distributed vulnerability handling

This repository contains an example of CycloneDX Vulnerability Disclosure Reports and CycloneDX Vulnerability Exploitability Exchanges usage to help a Java application (Apache Kafka) handle vulnerabilities in its dependencies.

Most Java applications are distributed together with all their dependencies (e.g., as WAR archives). Whenever a vulnerability is discovered in a dependency, the project must decide whether it needs to immediately make a new release or not. Since most dependencies are Open Source, it is obviously possible for each application to analyze its usage of the faulty dependency, but this:

  • adds a lot of work to application maintainers.

  • requires application maintainers to analyze code they are not familiar with.

In this example, we show how we could offload some of the security analysis work from application developers by promoting the usage of VEX files in their dependencies.

Selected dependency chain

Kafka 4.0 will use Log4j Core 2 as logging backend and will ship with a default log4j2.yaml configuration. This change will introduce a new front of possibly exploitable vulnerabilities, since all future SnakeYAML CVEs could potentially be exploitable in Kafka.

This repo contains a preliminary analysis on how past SnakeYAML vulnerabilities might have affected Kafka:

snakeyaml.vdr.xml

The snakeyaml.vdr.xml file contains a list of all 8 known SnakeYAML vulnerabilities up to today in CycloneDX format.

jackson.vex.xml

The only Kafka dependency that uses SnakeYAML is jackson-dataformat-yaml. The jackson.vex.xml file contains an impact analysis of SnakeYAML vulnerabilities on Jackson Dataformat YAML. CVE-2022-1471 does not affect Jackson Dataformat YAML because the vulnerable code is not used. This leaves downstream projects with only 7 vulnerabilities to worry about.

log4j-core.vex.xml

Log4j Core uses Jackson Dataformat YAML for YAML parsing. However, it uses YAML only for configuration files, which need to come from a trusted source. This allows use to discard all remaining SnakeYAML vulnerabilities in the log4j-core.vex.xml file.

kafka.vex.xml

The three files above allow Kafka developers to rapidly discard all the SnakeYAML vulnerabilities as "not exploitable". This is done in the kafka.vex.xml file.

About

An example of distributed vulnerability handling

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages