Troubleshooting CVE’s in Java libraries

I’m sometimes asked to mitigate a vulnerability found in a Java library we are using. CVE is an acronym for Common Vulnerabilities and Exposures, for more info see Understanding CVEs. Below are some of the steps I’ve followed.

Quick Reference

Steps

Given a Java artifact (groupId:artifactId:version) (e.g., com.fasterxml.jackson.core:jackson-databind:2.6.3)

1. Goto Maven Central.
2. Find Artifact by groupId:artifactId with CVE against it.
3. Look for a newer version of an artifact that doesn’t have the CVE.
   1. Maven Central lists items in a table format, the VULNERABILITY COUNT when zero indicates no vulnerabilities.
   2. Look for a version that has NO vulnerabilities or LOW to MEDIUM vulnerabilities. See Understanding CVEs
   3. NOTE: Version with fix and Newest Version and their Dates of release.
4. Update the BOM file (pom.xml or build.gradle) and verify dependency is removed
   1. gradle dependencies or mvn dependency:tree
5. Verify code still works as expected
   1. Rebuild Artifact impacted, and ALL artifacts that depend on it.

Public Vulnerability Databases

• NVD (National Vulnerability Database) - Search
• OSV.dev
• Snyk Advisor - Handles npm, PyPI, Go and Docker

Questions

I have a CVE but Maven Central doesn’t list it, how can I find the artifact where the problem is fixed?

A couple times (at least), I’ve been given a CVE from Sonatype that doesn’t appear on Maven Central as a CVE/vulnerability.

The NVD database lets you search for java artifacts that have issues, see below How can I search the NVD for CVEs on Java artifacts I’m using.

What does Vector mean?

A CVE has a CVSS rating which includes a vector. For example, this is a vector

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The vector is a brief way of summarizing the vulnerability. The vector information includes

• Attack Vector (AV)
• Attack Complexity (AC)
• Privileges Required (PR)
• User Interaction (UI)
• Scope (S)
• Confidentiality (C)
• Integrity (I)
• Availability (A)

For more information on about what each of these mean see First.org’s CVSS Specification.

An example

I’ve been notified that Jackson Core 2.14.3 has a sonatype CVE sonatype-2022-6438 at 7.5 severity. I always start at maven Central Maven Central Jackson Core 2.14.3 because this is where I’ll be to find a newer version of com.fasterxml.jackson.core:jackson-core:2.14.3 I used Maven Central - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core
which shows me:

• 2.14.0 Nov 5, 2022
• 2.14.1 Nov 22, 2022
• 2.14.2 Jan 29, 2023
• 2.15.0 Apr 23, 2023
• 2.16.0 Nov 16, 2023
• 2.17.0 Mar 13, 2024
• 2.18.0 Sep 27, 2024
• 2.18.2 Nov 28, 2024 is latest version

Surprisingly NONE of these versions list any CVE issues

Goto Sonatype https://www.sonatype.com/ and look at resources. Nothing useful it’s all paid for!

Searching for the sonatype-2022-6438 issue I found

https://build.opensuse.org/projects/openSUSE:Step:FrontRunner/packages/jackson-core.28283/files/jackson-core.changes?expand=0

2.15.0 (23-Apr-2023)
    + #827: Add numeric value size limits via
      'StreamReadConstraints' (fixes 'sonatype-2022-6438')

Searching on github jackson-core repo I found: https://github.com/search?q=repo%3AFasterXML%2Fjackson-core+2022-6438&type=code

2.15.0 (23-Apr-2023)
#815: Add maximum numeric value length limits via `StreamReadConstraints` (fixes
  `sonatype-2022-6438`)

So it is official.

Sonatype’s website

https://help.sonatype.com/en/vulnerability-lookup.html On Sonatype’s website I found this which explains a lot!!! CVEs not found in Sonatype data Our vulnerability search feature is used to search for vulnerabilities that exist in components we have ingested into our data. It is not a general lookup for all CVEs reported on the National Vulnerability Database (NVD).
The search will not show vulnerabilities for components we have not ingested.

How can I search the NVD for CVEs on Java artifacts I’m using?

In this example, we look for CVEs on the Java artifact com.fasterxml.jackson.core:jackson-databind:2.6.3.

1. Goto the search page NVD Vulnerability Search at https://nvd.nist.gov/vuln/search.
2. Click on the Advanced Search.
3. Locate the Vendor field and enter, fasterxml (this is the vendor for Jackson Databind). It’s worth noting that this Vendor field isn’t the same as the Java Artifact groupId field which would have been com.fasterxml.jackson.core.
4. Locate the Product field and select jackson-databind

If the above isn’t working, the following URL contains what I intended for you to find to returns all of the CVEs against jackson-databind (fasterxml:jackson-databind:2.6.3)
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3A%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.6.3

How can I run the OWASP Dependency Checker?

Step #1: Update your build.gradle to include the plugin needed and configuration for the task dependencyCheckAnalyze which is implemented by the plugin org.owasp.dependencycheck

plugins {
    id 'java' 
    id "org.owasp.dependencycheck" version "8.4.0" 
}

dependencyCheck {
    failBuildOnCVSS = 7  // Fails build if vulnerabilities with CVSS ≥ 7 are found (sucess otherwise) 
    // suppressionFile = file("dependency-check-suppressions.xml")  // Custom suppression file (optional) 
    formats = ["HTML", "JSON"]  // Report formats 
    outputDirectory = "./build/reports/dependency-check" // Output directory 
}

Step #2: After the above change, I run:

gradle dependencyCheckAnalyze

Step #3: Open browser to $PWD/build/reports/dependency-check/dependency-check-report.html. I run

ls  $PWD/build/reports/dependency-check/dependency-check-report.html

to get the full path name of the html file

Understanding CVEs (LOW, MEDIUM, HIGH)

CVE’s (Common Vulnerabilities and Exposures) are an industry term used to indicates an artifact (e.g., software library, hardware) has a security issue or problem. Every CVE is given a rating which is a CVSS score and a serverity level (see table below). The higher the CVSS number (up to 10) the sever the vulnerability is. All CVEs have risk associated with them.

CISA recommends is that CVE’s with a CVSS score of 7.0 or higher should be mitigated. See reference CISA recommendations for fixing Critical and High Severity CVEs which says

• Critical vulnerabilities should be remediated within 15 calendar days of initial detection.
• High vulnerabilities should be remediated within 30 calendar days of initial detection.

CVSS Score	Severity Level	Description
0.0	✅ None	No impact or risk.
0.1 – 3.9	🟢 Low	Minor security issue, hard to exploit.
4.0 – 6.9	🟡 Medium	Some risk, may require user interaction.
7.0 – 8.9	🔴 High	Serious vulnerability, easily exploitable.
9.0 – 10.0	🔥 Critical	Severe risk, remote code execution or data breach likely.

A CVE’s score is based on a few factors and explained more at https://www.balbix.com/insights/understanding-cvss-scores/ which includes this diagram.

A full understanding of CVEs is outside of the scope of this webpage. See referencees for more information.

Glossary of Terms

Attack Vector - Defines how the vulnerability can be exploited: Network, Adjacent Network, Local, Physical
CPE - Common Platform Enumeration basically refers to the Operating System (Windows 10) or a Platform like Android. CVE - Common Vulnerabilities and Exposures
CVE ID - CVE identifier
CWE - Common Weakness Enumeration (e.g., categories) For example, CWE-79 is for Cross-Site Scripting.
CVSS V2/V3 Severity Range - Every CVE is given a severity level (0 to 10) to indicate the severity. The higher the severity the more important this issue is to fix or mitigate. The most severe is Critial which indicates you are immediately vulnerable and should get this fixed, others are High, Medium, and Low (in most to least severe).
EPSS Score – Exploit Prediction Scoring System allows filtering based on the likelihood of exploitation.
Remediation Level – Lets users filter by the availability of fixes or mitigations. Examples are: Official Fix, Workaround, Unavailable SBOM - Software Bill of Materials
Source Identifier – Refers to the source (group, individual) that reported the vulnerability
Vulnerability Status - Analyzed – Fully reviewed by NVD, Awaiting Analysis – Not yet reviewed, Modified – Recently updated with new details.

References

Maven Artifact Naming - Explaination of groupId:artifactId:version.
NIST CVSS Serverity
OWASP Dependency-Check - Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
CVE Details - Has charts that show information about vulnerabilities.
Difference between CVE and CVSS
First.org - Self-Paced on-line training for CVSS.

The following were not IMO important for understanding how to fix Java CVEs but might be useful to someone.
Payment Card Industry Standards (PCI) DSS - The PCI DSS standard provides security requirements for handling, storing, and transmitting credit card data. The latest standard is PCI-DSS v4.0 dated June 2024.
Contrast Security 2014 paper

Jump to Top of Page

---

<

Previous Post

🐳 Docker Notes

>

Next Post

When copy/paste has invisible characters, how do I get rid of them?