Vulnerailities in Camunda Engine REST JAX RS 2.0

vijaygurunanee · November 10, 2022, 10:43am

In “Camunda Platform Engine REST JAX RS 2.0”, we have 2 vulnerabilities, which are coming from dependencies (com.fasterxml.jackson.core » jackson-databind2 vulnerabilities).

currently, our project is using 7.17.0 but 7.18.0-alpha5 also has these vulnerabilities.

Camunda: https://mvnrepository.com/artifact/org.camunda.bpm/camunda-engine-rest-jaxrs2
Jackson: https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.14.0

reported vulnerabilities:
CVE-2022-42003
CVE-2022-42004

can you suggest by which version and when, we will have fix for these vulnerabilities? (I think it would need the jar version upgrade only)

DominikLeszyk · November 25, 2022, 8:53am

@vijaygurunanee I’ve also faced this problem and reported it to security jira of Camunda.

Camunda team: please update the Camunda Trust Center | Camunda link residing at Report a Vulnerability | docs.camunda.org as currently it causes 404.

thorben · November 25, 2022, 9:09am

Hi,

We have assessed these CVEs a while ago and determined that Camunda 7 is not affected by them. We plan to update the dependencies with enterprise patches due for end of February and subsequently the alpha release that we will release in March and 7.19.0 in April. You can follow Update Jackson to the latest version · Issue #2842 · camunda/camunda-bpm-platform · GitHub for our progress.

@DominikLeszyk which link exactly are you referring to? If I click on “Reporting Vulnerabilities” at Camunda Trust Center | Camunda it takes me to Reporting Vulnerabilities | Camunda and from there the links point to JIRA. Note that you need a user account for the Camunda JIRA in order to raise a ticket in the SEC project.

Cheers,
Thorben

DominikLeszyk · November 25, 2022, 9:26am

Hi @thorben
Thanks for clarification on these CVEs.
In Report a Vulnerability | docs.camunda.org there is camunda.com/security link mentioned. Clicking it causes 404 for me.
Cheers,
Dominik

thorben · November 25, 2022, 9:29am

Interesting, https://camunda.com/security#report-a-vulnerability redirects me to https://camunda.com/trust-center/#report-a-vulnerability (latest Firefox, Windows 10), although the #report-a-vulnerability anchor doesn’t work. Which browser and OS are you trying this with?

DominikLeszyk · November 25, 2022, 10:27am

I’ve checked on latest Firefox and Chrome on Windows 10. For me problem is that camunda.com/security link rendered on Report a Vulnerability | docs.camunda.org page gets some strange ‘___hstc’ parameters in URL making it invalid.
Looks very similar to HubSpot adds __hstc, __hssc and __hsfp query params to all external URL, making them invalid · Issue #504 · segmentio/analytics.js · GitHub.

thorben · November 25, 2022, 10:35am

Thanks, when I try it on Chrome I can reproduce it too. On Firefox I use NoScript which prevents HubSpot from doing funny things. In the first step, I’ll update the URLs to avoid the redirects (Update docs link to vulnerability reporting guide · Issue #2973 · camunda/camunda-bpm-platform · GitHub). If the problem persists, I’ll let our web marketing team know.

thorben · November 25, 2022, 1:53pm

Replacing the links seems to resolve the issue, at least in my local setup. You may have to hard reload the page, it should then display a link labeled Camunda Trust Center instead of camunda.com/security.

DominikLeszyk · November 25, 2022, 2:45pm

Thank you, it works now.

system · January 31, 2024, 10:32am