CVE-2018-11087 (Medium) detected in multiple libraries - autoclosed

[mend-for-github.lhy31512.workers.dev]

CVE-2018-11087 - Medium Severity Vulnerability

Vulnerable Libraries - spring-amqp-1.1.0.RELEASE.jar, spring-amqp-2.0.0.RELEASE.jar, amqp-client-2.8.1.jar, amqp-client-5.0.0.jar, spring-rabbit-2.0.0.RELEASE.jar, spring-rabbit-1.1.0.RELEASE.jar, amqp-client-2.7.0.jar

spring-amqp-1.1.0.RELEASE.jar

Spring AMQP is framework that makes it easy to write Java applications for the Advanced Message Queue Protocol. It supports a variety of common high-level messaging patterns, like synchronous and asynchronous consumers, synchronous producers, automatic re-connection, transactions, batching. The emphasis is on declarative configuration and a POJO programming model without hiding the full power of the underlying protocol.

Library home page: http://www.springsource.org/spring-amqp

Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/1.1.0.RELEASE/d53434c48c9725e809c822df3a56d0d8d097ca0/spring-amqp-1.1.0.RELEASE.jar

Dependency Hierarchy:

• spring-rabbit-1.1.0.RELEASE.jar (Root Library)
  • ❌ spring-amqp-1.1.0.RELEASE.jar (Vulnerable Library)

spring-amqp-2.0.0.RELEASE.jar

Spring AMQP Core

Library home page: https://projects.spring.io/spring-amqp

Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/2.0.0.RELEASE/939a34155a2ec29f83aa65acfec91d5fdcc0e80a/spring-amqp-2.0.0.RELEASE.jar,/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/2.0.0.RELEASE/939a34155a2ec29f83aa65acfec91d5fdcc0e80a/spring-amqp-2.0.0.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-amqp-2.0.0.RELEASE.jar (Vulnerable Library)

amqp-client-2.8.1.jar

RabbitMQ AMQP Java Client

Library home page: http://www.rabbitmq.com

Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.8.1/303d1a575baffa9e119b4a8a17e97f56630b34ef/amqp-client-2.8.1.jar,/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.8.1/303d1a575baffa9e119b4a8a17e97f56630b34ef/amqp-client-2.8.1.jar

Dependency Hierarchy:

• ❌ amqp-client-2.8.1.jar (Vulnerable Library)

amqp-client-5.0.0.jar

The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.

Library home page: http://www.rabbitmq.com

Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/5.0.0/12c1f76ab5991556147ca35b85128521ebcfd093/amqp-client-5.0.0.jar

Dependency Hierarchy:

• spring-rabbit-2.0.0.RELEASE.jar (Root Library)
  • ❌ amqp-client-5.0.0.jar (Vulnerable Library)

spring-rabbit-2.0.0.RELEASE.jar

Spring RabbitMQ Support

Library home page: https://projects.spring.io/spring-amqp

Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework.amqp/spring-rabbit/2.0.0.RELEASE/4b58070f2da1485edb63a740dedb7c5994500bcd/spring-rabbit-2.0.0.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-rabbit-2.0.0.RELEASE.jar (Vulnerable Library)

spring-rabbit-1.1.0.RELEASE.jar

Spring AMQP is framework that makes it easy to write Java applications for the Advanced Message Queue Protocol. It supports a variety of common high-level messaging patterns, like synchronous and asynchronous consumers, synchronous producers, automatic re-connection, transactions, batching. The emphasis is on declarative configuration and a POJO programming model without hiding the full power of the underlying protocol.

Library home page: http://www.springsource.org/spring-amqp

Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework.amqp/spring-rabbit/1.1.0.RELEASE/bea52fc593b5b2abf70afa9e05ad5ca8e36f7a77/spring-rabbit-1.1.0.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-rabbit-1.1.0.RELEASE.jar (Vulnerable Library)

amqp-client-2.7.0.jar

RabbitMQ AMQP Java Client

Library home page: http://www.rabbitmq.com

Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.7.0/54ac2d32f5f992abe6883cd5ae3c256bccc0117a/amqp-client-2.7.0.jar

Dependency Hierarchy:

• ❌ amqp-client-2.7.0.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.

Publish Date: 2018-09-14

URL: CVE-2018-11087

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11087

Release Date: 2018-09-11

Fix Resolution (org.springframework.amqp:spring-amqp): 1.7.10.RELEASE

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.10.RELEASE

Fix Resolution (com.rabbitmq:amqp-client): 5.4.1

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE

---

⛑️ Automatic Remediation is available for this issue