[Bug][Security] TheHive4 libraries vulnerabilities

[Adasumizox]

Request Type

Bug, Security

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	10
Virtualized Env.	True
TheHive version / git hash	4.16
Package Type	Docker
Database	Cassandra
Index type	Elasticsearch
Browser type & version	Chrome 99.0.4844.74

Problem Description

During security scanning of Docker container we detected few vulnerabilities of jars stored in /lib

CVE	CVSS	PACKAGE	LOCATION
CVE-2018-14721	10	com.fasterxml.jackson.core_jackson-databind	/opt/thehive/lib/net.sf.ehcache.ehcache-2.10.6.jar /opt/thehive/lib/org.apache.htrace.htrace-core4-4.1.0-incubating.jar
CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2019-20330 CVE-2019-17531 CVE-2019-17267 CVE-2019-16943 CVE-2019-16942 CVE-2019-16335 CVE-2019-14893 CVE-2019-14892 CVE-2019-14540 CVE-2019-14379 CVE-2018-7489 CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718	9.8	com.fasterxml.jackson.core_jackson-databind	/opt/thehive/lib/net.sf.ehcache.ehcache-2.10.6.jar /opt/thehive/lib/org.apache.htrace.htrace-core4-4.1.0-incubating.jar /opt/thehive/lib/org.apache.tinkerpop.gremlin-shaded-3.4.6.jar
CVE-2019-20445 CVE-2019-20444	9.1	io.netty_netty-all io.netty_netty-codec	/opt/thehive/lib/io.netty.netty-all-4.0.56.Final.jar /opt/thehive/lib/io.netty.netty-codec-4.0.56.Final.jar
CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672	8.8	com.fasterxml.jackson.core_jackson-databind	/opt/thehive/lib/net.sf.ehcache.ehcache-2.10.6.jar /opt/thehive/lib/org.apache.htrace.htrace-core4-4.1.0-incubating.jar /opt/thehive/lib/org.apache.tinkerpop.gremlin-shaded-3.4.6.jar
CVE-2021-20190 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-24750 CVE-2020-24616 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619	8.1	com.fasterxml.jackson.core_jackson-databind	/opt/thehive/lib/net.sf.ehcache.ehcache-2.10.6.jar /opt/thehive/lib/org.apache.htrace.htrace-core4-4.1.0-incubating.jar /opt/thehive/lib/org.apache.tinkerpop.gremlin-shaded-3.4.6.jar
CVE-2021-37137 CVE-2021-37136 CVE-2019-16869	7.5	io.netty_netty-all io.netty_netty-codec	/opt/thehive/lib/io.netty.netty-all-4.0.56.Final.jar /opt/thehive/lib/io.netty.netty-codec-4.0.56.Final.jar
CVE-2021-36090 CVE-2021-35517 CVE-2021-35516 CVE-2021-35515	7.5	org.apache.commons_commons-compress	/opt/thehive/lib/org.apache.commons.commons-compress-1.19.jar
CVE-2020-28491	7.5	com.fasterxml.jackson.dataformat_jackson-dataformat-cbor	/opt/thehive/lib/com.fasterxml.jackson.dataformat.jackson-dataformat-cbor-2.10.5.jar
CVE-2020-25649 CVE-2019-14439 CVE-2019-12086	7.5	com.fasterxml.jackson.core_jackson-databind	/opt/thehive/lib/net.sf.ehcache.ehcache-2.10.6.jar /opt/thehive/lib/org.apache.htrace.htrace-core4-4.1.0-incubating.jar /opt/thehive/lib/org.apache.tinkerpop.gremlin-shaded-3.4.6.jar
CVE-2017-18640	7.5	org.yaml_snakeyaml	/opt/thehive/lib/org.yaml.snakeyaml-1.15.jar
CVE-2020-27216	7	org.eclipse.jetty_jetty-io	/opt/thehive/lib/net.sf.ehcache.ehcache-2.10.6.jar /opt/thehive/lib/org.eclipse.jetty.jetty-io-9.4.20.v20190813.jar

Steps to Reproduce

1. Run container scan

Possible Solutions

Update version of libraries:

Library
org.apache.tinkerpop.gremlin-shaded
org.apache.htrace.htrace-core
net.sf.ehcache.ehcache
io.netty.netty-all
io.netty.netty-codec
org.apache.commons.commons-compress
com.fasterxml.jackson.dataformat.jackson-dataformat-cbor
org.yaml.snakeyaml
org.eclipse.jetty.jetty-io

Complementary information

Problem with vulnerabilities also exists in newest version 4.18.
New vulnerabilities are present:

CVE	CVSS	Library
CVE-2022-25315 CVE-2022-25236 CVE-2022-25235 CVE-2022-23990 CVE-2022-23852 CVE-2022-22824 CVE-2022-22823 CVE-2022-22822	9.8	expat
CVE-2022-24407	8.8	cyrus-sasl2
CVE-2022-22827 CVE-2022-22826 CVE-2022-22825 CVE-2021-45960	8.8	expat

[To-om]

• com.fasterxml.jackson.core_jackson-databind 2.10.5 => 2.12.6
• org.apache.commons_commons-compress 1.19 => 1.21
• com.fasterxml.jackson.dataformat_jackson-dataformat-cbor 2.10.5 => 2.11.4
• org.yaml_snakeyaml 1.15 => 1.30
• org.eclipse.jetty_jetty-io 9.4.20.v20190813 => 9.4.43.v20210629
• io.netty_netty-all / io.netty_netty-codec 4.0.56.Final

The version of netty is the latest 4.0.x and it cannot be updated without breaking compatibility.
This component is used to connect to Cassandra and its vulnerabilities are not exploitable.
Dependency tree:

io.netty:netty-all:4.0.56.Final
  +-org.apache.tinkerpop:gremlin-driver:3.4.6
    +-org.janusgraph:janusgraph-driver:0.5.3
      +-org.janusgraph:janusgraph-core:0.5.3
io.netty:netty-codec:4.0.56.Final
  +-io.netty:netty-handler:4.0.56.Final
    +-com.datastax.cassandra:cassandra-driver-core:3.9.0
      +-org.janusgraph:janusgraph-cql:0.5.3