Skip to content
This repository has been archived by the owner on Sep 21, 2021. It is now read-only.

Zalenium vulnerabilities #1200

Open
Montti37 opened this issue Aug 27, 2020 · 7 comments
Open

Zalenium vulnerabilities #1200

Montti37 opened this issue Aug 27, 2020 · 7 comments

Comments

@Montti37
Copy link

I tried emailing the security address but it was un-deliverable

As part of our corporate security scans with twistlock we have found some vulnerabilities in Zalenium.
I was hoping it would be possible to address the critical ones so we can continue using Zalenium.
There are a lot of other low level issues but the criticals that must be address for me would be:

com.fasterxml.jackson.core_jackson-databind current 2.8.5 fixed in 2.9.7
io.netty_netty-all current 4.1.6.Final fixed in 4.1.46
org.eclipse.jetty_jetty-io current 7.3.0.v20110203 fixed in 9.4.11, 9.3.24
org.apache.logging.log4j_log4j-api current 2.7 fixed in 2.8.2

Thank you

twistlock-zalenium.txt
@diemol
Copy link
Contributor

diemol commented Sep 3, 2020

@Montti37 is not under development anymore, if you wish, you could send a PR and build the new version yourself.

@Johnny2136
Copy link

@Montti37 we have found jackson.core to be problematic, if you update it in spring boot, then you will get a failing SAST scan with Checkmarx or similar if you roll back Twist lock catches it. Spring boot needs to fix their library, but if you find a good solution please post it ok? I think we are in the same boat as you.

@Montti37
Copy link
Author

Montti37 commented Sep 24, 2020 via email

@llinmd
Copy link

llinmd commented Oct 16, 2020

@Montti37 We are in the same boat as you so I want to follow up on the fix. Are you able to get approval to share it? Thanks.

@Montti37
Copy link
Author

@llinmd I am still waiting for approval, it may take some time to actually share the repo, but we ended up just updating the pom file and rebuilding the app.
I will warn you once you get past this step, the underlying elgalu/selenium image that is used has the same vulnerabilities.
it too will need a similar fix. the underlying jar that causes that issue is the browsermob-dist.jar to save you some time finding it, it is held in maven and will need a similar fix for its pom file

@llinmd
Copy link

llinmd commented Oct 16, 2020

@Montti37 that's good to know. i will give it a shot. thanks.

@rajesh9383
Copy link

@Montti37 I am having similar vulnerabilities. Can you please share the repo ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@diemol @Johnny2136 @Montti37 @llinmd @rajesh9383