Community
Participate
Working Groups
MAT 1.14.0 being flagged for MEDIUM CVE CVE-2023-33201. I see bcpg_1.72.0.jar and bcpprov_1.72.0.jar included in MAT plugins directory.
Please let me know if I made any mistakes in this submission as this is my first. I am not 100% on the steps to bump the library and resolve the CVE on my own, but would be happy to tackle the next one myself.
Thank you for the report. This has more details: https://nvd.nist.gov/vuln/detail/CVE-2023-33201 > Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. > During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. Memory Analyzer does not directly use encryption, but is a RCP application, and TLS is used for things like installing updates or extensions. Bouncy Castle comes with the Eclipse Platform that MAT is built with. I do not know yet whether this vulnerability is exploitable. We could start by checking whether there is an exploit for the Eclipse IDE. Does it use the LDAP certificate store? To avoid MAT being flagged in scans we would need to build MAT against a later version of the Eclipse Platform which has a fixed version of Bouncy Castle. Once there is a new Eclipse e.g. 2023-09 ?? then the MAT build configuration files and the continuous integration job need to be updated.
Eclipse 2023-09 M2 has bcprov_1.76.0.jar bcpg_1.76.0.jar so Eclipse 2023-09 in September 2023 should include the fix for the platform. The Eclipse MAT project needs to decide when the next version of MAT will be released. It can then be built against a more recent Eclipse platform. Alternatives until then would be to install MAT into a Eclipse 2023-0 or later platform, or rebuild MAT yourself. I haven't had much luck updating the Eclipse platform from inside standalone Eclipse MAT.
For testing we can use the I-builds for Eclipse 4.29 https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/203758 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=b8adc29f1f63fa46cc6101910f0d6ea5b243aa60 https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/203759 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=bc010ce0439316f835afecc9fa16e339336b96e9
I've created new target platform and tested it with a mnually triggered build: https://ci.eclipse.org/mat/job/tycho-mat-nightly/1428/ >[INFO] Fetching bcpg_1.76.0.jar from https://download.eclipse.org/eclipse/updates/4.29-I-builds/I20230820-0600/plugins/ (439.42kB) >[INFO] Fetching bcprov_1.76.0.jar from https://download.eclipse.org/eclipse/updates/4.29-I-builds/I20230820-0600/plugins/ (7.97MB) This has the fixed versions of BouncyCastle. We can't yet do a release with that as Eclipse 2023-09 hasn't been released and that build was just against an Eclipse I-build, and we don't yet have a release plan for the next version of MAT. I have now updated the builds to use Java 17, and to use a newer version of SpotBugs. It will be easy to later switch builds to Eclipse 2023-09, but the next CI builds will revert to 2022-12.
Hi Andrew, Thanks for your work on this. How were you able to identify the Eclipse I-Build which contained the relevant library bump?
I didn't know which particular I-build, but I saw that the Eclipse IDE 2023-06 had a previous version of bcpg, bcprov so we would need something later. MAT is part of the simultaneous release of the Eclipse IDE (e.g. 2023-06 etc.) although it is not preinstalled into any of the standard packages. MAT is built against an Eclipse target platform (e.g. 4.26, which is just one component of the IDE) and a few other pieces (SWTBot for testing, BIRT for graphs, IBM DTFJ for testing. Using a HPROF dump of itself I found the bundles dependent on Bouncy Castle. Bundles |Bundle State -------------------------------------------------------------------------------------------------------------------------------------------- bcprov (1.72.0.) |resolved |- reference:file:/C:/Users/andre/workspace_mat/.metadata/.plugins/org.eclipse.pde.core/.bundle_pool/plugins/bcprov_1.72.0.jar| |- Dependents | | |- org.eclipse.equinox.p2.artifact.repository (1.4.600.v20221106-1146) |lazy starting | |- org.eclipse.equinox.p2.ui (2.7.700.v20221015-0933) |lazy starting | |- bcpg (1.72.0.) |resolved | |- org.eclipse.equinox.p2.repository (2.6.300.v20221030-1923) |active | '- Total: 4 entries | '- Total: 2 entries | bcpg (1.72.0.) |resolved |- reference:file:/C:/Users/andre/workspace_mat/.metadata/.plugins/org.eclipse.pde.core/.bundle_pool/plugins/bcpg_1.72.0.jar | |- Dependencies | |- Dependents | | |- org.eclipse.equinox.p2.artifact.repository (1.4.600.v20221106-1146) |lazy starting | |- org.eclipse.equinox.p2.ui (2.7.700.v20221015-0933) |lazy starting | |- org.eclipse.equinox.p2.engine (2.7.500.v20220817-1208) |active | |- org.eclipse.equinox.p2.core (2.9.200.v20220817-1208) |active | |- org.eclipse.equinox.p2.ui.sdk (1.2.100.v20220814-1551) |lazy starting | |- org.eclipse.equinox.p2.repository (2.6.300.v20221030-1923) |active | |- org.eclipse.equinox.p2.director.app (1.2.300.v20220911-2007) |lazy starting | '- Total: 7 entries | '- Total: 3 entries | Total: 2 entries (284 filtered) | -------------------------------------------------------------------------------------------------------------------------------------------- so could see that Equinox p2 needed Bouncy Castle. Reports like this: https://download.eclipse.org/oomph/archive/reports/ https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.29-I-builds/index.html showed the versions of the installable units in a build, so I could see the current Eclipse platform builds had a newer version of Bouncy Castle. There is also a report on the version of MAT supplied to the Eclipse simultaneous release: https://download.eclipse.org/oomph/archive/simrel/index.html https://download.eclipse.org/oomph/archive/simrel/mat.aggrcon/index.html which is useful to check the MAT bundles are signed, feature have branding images etc.
https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/204336 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=b10bd16c59de71479467c9f563a1748ad93cac82 Builds now use Eclipse 4.29
We are now building at the right level to avoid this problem. BTW - are the new bill of materials build artifacts useful in checking vulnerabilities? https://ci.eclipse.org/mat/job/tycho-mat-nightly/ https://ci.eclipse.org/mat/job/tycho-mat-nightly/lastSuccessfulBuild/artifact/parent/target/