éçºããã»ã¹ã«ããããµãŒãããŒã㣠ãœãããŠã§ã¢ ã³ã³ããŒãã³ãã®åæ (ãœãããŠã§ã¢æ§æåæ - SCA) ã®éèŠæ§ã¯ãSynopsysãSonatypeãSnykãWhite Source ã«ãã£ãŠçºè¡ããããªãŒãã³ ãœãŒã¹ ã©ã€ãã©ãªã®è匱æ§ã«é¢ãã幎次ã¬ããŒãã®ãªãªãŒã¹ã«ãããŸããŸãé«ãŸã£ãŠããŸãã ã å ±åæžã«ãããš
æãå
·äœçãªã±ãŒã¹ã® XNUMX ã€
ãã®èšäºã§ã¯ãåæçµæã®å質ã®èŠ³ç¹ãã SCA ãå®è¡ããããã®ããŒã«ãéžæããåé¡ã«ã€ããŠèª¬æããŸãã ããŒã«ã®æ©èœæ¯èŒãæäŸãããŸãã CI/CD ãžã®çµ±åããã»ã¹ãšçµ±åæ©èœã«ã€ããŠã¯ãä»åŸã®åºçç©ã«æ®ãããŸãã OWASP ã«ãã£ãŠå¹
åºãããŒã«ãæäŸãããŸãã
ã©ã®ããã«åäœããŸã
CPE ãã©ã®ãããªãã®ããèŠãŠã¿ãŸãããã
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
- éšïŒ ã³ã³ããŒãã³ããã¢ããªã±ãŒã·ã§ã³ (a)ããªãã¬ãŒãã£ã³ã° ã·ã¹ãã (o)ãããŒããŠã§ã¢ (h) ã«é¢é£ããŠããããšã瀺ããŸã (å¿ é )
- ãã³ããŒïŒ 補åã¡ãŒã«ãŒå (å¿ é )
- 補åïŒ ååå (å¿ é )
- ããŒãžã§ã³ïŒ ã³ã³ããŒãã³ãã®ããŒãžã§ã³ (å»æ¢ãããé ç®)
- ã¢ããããŒãïŒ ããã±ãŒãžã®ã¢ããããŒã
- ãšãã£ã·ã§ã³ïŒ ã¬ã¬ã·ãŒããŒãžã§ã³ (éæšå¥šã¢ã€ãã )
- èšèªïŒ RFC-5646ã§å®çŸ©ãããèšèª
- SWç: ãœãããŠã§ã¢ããŒãžã§ã³
- 察象SW: 補åãåäœãããœãããŠã§ã¢ç°å¢
- ã¿ãŒã²ããããŒããŠã§ã¢: 補åãåäœããããŒããŠã§ã¢ç°å¢
- ãã®ä»ïŒ ãµãã©ã€ã€ãŒãŸãã¯è£œåæ å ±
CPE ã®äŸã¯æ¬¡ã®ããã«ãªããŸãã
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
ãã®è¡ã¯ãCPE ããŒãžã§ã³ 2.3 ã補é å
ã®ã¢ããªã±ãŒã·ã§ã³ ã³ã³ããŒãã³ããèšè¿°ããŠããããšãæå³ããŸãã pivotal_software
ã¿ã€ãã«ä»ã㧠spring_framework
ããŒãžã§ã³3.0.0ã è匱æ§ãéããå Žå
ãã® URL 㯠SCA ããŒã«ã§ã䜿çšãããŸãã ããã±ãŒãžã® URL 圢åŒã¯æ¬¡ã®ãšããã§ãã
scheme:type/namespace/name@version?qualifiers#subpath
- ã¹ããŒã ïŒ ãããããã±ãŒãž URL ã§ããããšã瀺ããpkgããåžžã«è¡šç€ºãããŸã (å¿ é )
- ã¿ã€ãïŒ ããã±ãŒãžã®ãã¿ã€ãããŸãã¯ããã±ãŒãžã®ããããã³ã«ã (Mavenãnpmãnugetãgemãpypi ãªã©)ã (å¿ é é ç®)
- åå空éïŒ Maven ã°ã«ãŒã IDãDocker ã€ã¡ãŒãžææè ãGitHub ãŠãŒã¶ãŒãçµç¹ãªã©ã®ååã®ãã¬ãã£ãã¯ã¹ã ãªãã·ã§ã³ã§ãããã¿ã€ãã«ãã£ãŠç°ãªããŸãã
- ãååïŒ ããã±ãŒãžå (å¿ é )
- ããŒãžã§ã³ïŒ ããã±ãŒãžããŒãžã§ã³
- 修食åïŒ OSãã¢ãŒããã¯ãã£ããã£ã¹ããªãã¥ãŒã·ã§ã³ãªã©ãããã±ãŒãžã®è¿œå ã®èªå®ããŒã¿ããªãã·ã§ã³ã§ã¿ã€ãåºæã§ãã
- ãµããã¹: ããã±ãŒãžã«ãŒããåºæºãšããããã±ãŒãžå ã®è¿œå ãã¹
ããšãã°ã次ã®ããã«
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]
XML 圢åŒã§ã® BOM ã®äŸ:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>
BOM ã¯ãäŸåé¢ä¿è¿œè·¡ã®å
¥åãã©ã¡ãŒã¿ãšããŠã ãã§ãªãã顧客ã«ãœãããŠã§ã¢ãæäŸããå Žåãªã©ããµãã©ã€ ãã§ãŒã³å
ã®ãœãããŠã§ã¢ ã³ã³ããŒãã³ãã®åšåº«ç®¡çã«ã䜿çšã§ããŸãã 2014幎ã«ã¯ç±³åœã§ãæ³æ¡ãææ¡ããã
SCA ã«æ»ããšãDependency Track ã«ã¯ãSlack ãªã©ã®éç¥ãã©ãããã©ãŒã ã Kenna Security ãªã©ã®è匱æ§ç®¡çã·ã¹ãã ãšã®çµ±åããããããçšæãããŠããŸãã ãŸããDependency Track ã¯ããšããããå€ãããŒãžã§ã³ã®ããã±ãŒãžãç¹å®ãã(SPDX ãµããŒãã«ãã) ã©ã€ã»ã³ã¹ã«é¢ããæ å ±ãæäŸããããšãéèŠã§ãã
SCA ã®å質ã«ã€ããŠå ·äœçã«èšããšãæ ¹æ¬çãªéãããããŸãã
äŸåé¢ä¿ãã©ãã¯ã¯ãããžã§ã¯ããå
¥åãšããŠåãå
¥ãããBOM ãåãå
¥ããŸãã ããã¯ããããžã§ã¯ãããã¹ããããå Žåã¯ããŸã CycloneDX ã䜿çšã㊠bom.xml ãçæããå¿
èŠãããããšãæå³ããŸãã ãããã£ãŠãDependency Track 㯠CycloneDX ã«çŽæ¥äŸåããŠããŸãã åæã«ã«ã¹ã¿ãã€ãºãå¯èœã«ãªããŸãã ããã¯OZONããŒã ãæžãããã®ã§ã
ããã€ãã®æ©èœçç¹åŸŽãèŠçŽããåæçšã«ãµããŒããããŠããèšèªã«ã€ããŠãæ€èšããŠã¿ãŸãããã
èšèª
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
Java
+
+
+
C / C ++
+
+
-
C#
+
+
-
çŽ
+
+
+
ã¢ãŒã©ã³
-
-
+
JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Python
+
+
+
ã«ããŒ
+
+
+
ããŒã«
-
-
-
ã¹ã«ã©
+
+
+
ç®æšC
+
+
-
ã¹ãŠã£ãã
+
+
-
R
+
-
-
Go
+
+
+
æ©èœæ§
æ©èœæ§
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
ãœãŒã¹ã³ãŒãã§äœ¿çšãããŠããã³ã³ããŒãã³ããã©ã€ã»ã³ã¹ãããçŽåºŠã§ãããã©ããã確èªããæ©èœ
+
-
+
Docker ã€ã¡ãŒãžã®è匱æ§ãšã©ã€ã»ã³ã¹ã®ã¯ãªãŒã³åºŠãã¹ãã£ã³ããŠåæããæ©èœ
+ Clairãšã®çµ±å
-
-
ãªãŒãã³ãœãŒã¹ ã©ã€ãã©ãªã䜿çšããããã«ã»ãã¥ãªã㣠ããªã·ãŒãæ§æããæ©èœ
+
-
-
ãªãŒãã³ãœãŒã¹ ãªããžããªãã¹ãã£ã³ããŠè匱ãªã³ã³ããŒãã³ããèŠã€ããæ©èœ
+ RubyGemsãMavenãNPMãNugetãPypiãConanãBowerãCondaãGoãp2ãRãYumãHelmãDockerãCocoaPodsãGit LFS
-
+ HexãRubyGemsãMavenãNPMãNugetãPypi
å°éçãªç 究ã°ã«ãŒãã®å©çšå¯èœæ§
+
-
-
éã«ãŒãåäœ
+
+
+
ãµãŒãããŒãã£ããŒã¿ããŒã¹ã®äœ¿çš
+ ã¯ããŒãºã Sonatype ããŒã¿ããŒã¹
+ Sonatype OSSãNPM Public Advisors
+ Sonatype OSSãNPM Public AdvisorsãRetireJSãVulnDBãç¬èªã®è匱æ§ããŒã¿ããŒã¹ã®ãµããŒã
èšå®ãããããªã·ãŒã«åŸã£ãŠéçºã«ãŒãã«ããŒãããããšãããšãã«ãªãŒãã³ãœãŒã¹ã³ã³ããŒãã³ãããã£ã«ã¿ãªã³ã°ããæ©èœ
+
-
-
è匱æ§ãä¿®æ£ããããã®æšå¥šäºé
ãä¿®æ£ãžã®ãªã³ã¯ã®å¯çšæ§
+
+- (å
¬éããŒã¿ããŒã¹ã®èšè¿°ã«äŸå)
+- (å
¬éããŒã¿ããŒã¹ã®èšè¿°ã«äŸå)
æ€åºãããè匱æ§ã®é倧床ã«ããã©ã³ãã³ã°
+
+
+
ããŒã«ããŒã¹ã®ã¢ã¯ã»ã¹ã¢ãã«
+
-
+
CLIã®ãµããŒã
+
+
+-(CycloneDXã®ã¿)
å®çŸ©ãããåºæºã«åŸã£ãè匱æ§ã®ãµã³ããªã³ã°/åé¡
+
-
+
ã¢ããªã±ãŒã·ã§ã³ã¹ããŒã¿ã¹ããšã®ããã·ã¥ããŒã
+
-
+
PDF 圢åŒã§ã®ã¬ããŒãã®çæ
+
-
-
JSONCSV圢åŒã§ã®ã¬ããŒãã®çæ
+
+
-
ãã·ã¢èªã®ãµããŒã
-
-
-
çµ±åæ©èœ
ÐÐœÑегÑаÑОÑ
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
LDAP/Active Directoryã®çµ±å
+
-
+
ç¶ç¶çã€ã³ãã°ã¬ãŒã·ã§ã³ ã·ã¹ãã Bamboo ãšã®çµ±å
+
-
-
ç¶ç¶ççµ±åã·ã¹ãã TeamCity ãšã®çµ±å
+
-
-
ç¶ç¶çã€ã³ãã°ã¬ãŒã·ã§ã³ ã·ã¹ãã GitLab ãšã®çµ±å
+
+- (GitLab ã®ãã©ã°ã€ã³ãšããŠ)
+
ç¶ç¶ççµ±åã·ã¹ãã Jenkins ãšã®çµ±å
+
+
+
IDE çšã®ãã©ã°ã€ã³ã®å¯çšæ§
+ IntelliJãEclipseãVisual Studio
-
-
ããŒã«ã® Web ãµãŒãã¹ (API) ãä»ããã«ã¹ã¿ã çµ±åã®ãµããŒã
+
-
+
äŸåé¢ä¿ã®ãã§ãã¯
æåã®ã¹ã¿ãŒã
æå³çã«è匱ãªã¢ããªã±ãŒã·ã§ã³ã§äŸåé¢ä¿ãã§ãã¯ãå®è¡ããŠã¿ãŸããã
ãã®ããã«äœ¿çšããŸã
mvn org.owasp:dependency-check-maven:check
ãã®çµæãdependency-check-report.html ãã¿ãŒã²ãã ãã£ã¬ã¯ããªã«è¡šç€ºãããŸãã
ãã¡ã€ã«ãéããŠã¿ãŸãããã è匱æ§ã®ç·æ°ã«é¢ããæŠèŠæ
å ±ã®åŸã«ãããã±ãŒãžãCPEãããã³ CVE ã®æ°ã瀺ããé倧床ããã³ä¿¡é Œæ§ã®é«ãã¬ãã«ã®è匱æ§ã«é¢ããæ
å ±ã衚瀺ãããŸãã
次ã«ããã詳现ãªæ å ±ãç¹ã«æ±ºå®ãè¡ãããæ ¹æ (蚌æ )ãã€ãŸãç¹å®ã® BOM ãç¶ããŸãã
次ã«ãCPEãPURLãããã³ CVE ã®èª¬æãç¶ããŸãã ã¡ãªã¿ã«ãä¿®æ£ã®æšå¥šäºé
ã¯NVDããŒã¿ããŒã¹ã«ååšããªãããå«ãŸããŠããŸããã
ã¹ãã£ã³çµæãäœç³»çã«è¡šç€ºããã«ã¯ãæå°éã®èšå®ã§ Nginx ãæ§æããããäŸåé¢ä¿ãã§ãã¯ãžã®ã³ãã¯ã¿ããµããŒãããæ¬ é¥ç®¡çã·ã¹ãã ã«çµæã®æ¬ é¥ãéä¿¡ããŸãã ããšãã°ãæ¬ é¥éå Žã
äŸåé¢ä¿ã®è¿œè·¡
ã€ã³ã¹ããŒã«
ãŸããDependency Track ã¯ã°ã©ãã衚瀺ãã Web ããŒã¹ã®ãã©ãããã©ãŒã ã§ããããããµãŒãããŒãã£ã®ãœãªã¥ãŒã·ã§ã³ã«æ¬ é¥ãä¿åãããšããå·®ãè¿«ã£ãåé¡ã¯ããã§ã¯çºçããŸããã
ã€ã³ã¹ããŒã«çšã«ãµããŒããããŠããã¹ã¯ãªããã¯ãDockerãWARãå®è¡å¯èœ WAR ã§ãã
æåã®ã¹ã¿ãŒã
å®è¡äžã®ãµãŒãã¹ã® URL ã«ç§»åããŸãã admin/admin çµç±ã§ãã°ã€ã³ãããã°ã€ã³åãšãã¹ã¯ãŒããå€æŽããŠãããã·ã¥ããŒãã«ã¢ã¯ã»ã¹ããŸãã 次ã«è¡ãããšã¯ãJava ã§ãã¹ã ã¢ããªã±ãŒã·ã§ã³ã®ãããžã§ã¯ããäœæããããšã§ãã ããŒã /ãããžã§ã¯ã â ãããžã§ã¯ãã®äœæ ã DVJA ãäŸã«æããŠã¿ãŸãããã
äŸåé¢ä¿ãã©ãã¯ã¯å
¥åãšã㊠BOM ã®ã¿ãåãå
¥ããããšãã§ããããããã® BOM ãååŸããå¿
èŠããããŸãã 掻çšããŸããã
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
bom.xml ãååŸããäœæãããããžã§ã¯ãã«ãã¡ã€ã«ãããŒãããŸã DVJA â äŸåé¢ä¿ â BOM ã®ã¢ããããŒã.
ã管çãâãã¢ãã©ã€ã¶ãŒãã«ç§»åããŸãããã NVD ãå«ãå éšã¢ãã©ã€ã¶ãŒã®ã¿ãæå¹ã«ãªã£ãŠããããšãç解ããŠããŸãã Sonatype OSS Index ãæ¥ç¶ããŠã¿ãŸãããã
ãããã£ãŠããããžã§ã¯ãã®æ¬¡ã®å³ãåŸãããŸãã
ãŸãããªã¹ãã«ã¯ Sonatype OSS ã«è©²åœããè匱æ§ã XNUMX ã€ãããŸãã
äž»ã«æ®å¿µã ã£ãã®ã¯ãDependency Track ãäŸåé¢ä¿ãã§ã㯠XML ã¬ããŒããåãä»ããªããªã£ãããšã§ãã äŸåé¢ä¿ãã§ãã¯çµ±åã®ãµããŒããããŠããææ°ããŒãžã§ã³ã¯ 1.0.0 ïœ 4.0.2 ã§ããããç§ããã¹ãããã®ã¯ 5.3.2 ã§ããã
ããã§
ãã¯ãµã¹ IQ
æåã®ã¹ã¿ãŒã
Nexus IQ ã®ã€ã³ã¹ããŒã«ã¯ã次ã®ã¢ãŒã«ã€ãããè¡ãããŸãã
ã³ã³ãœãŒã«ã«ãã°ã€ã³ããåŸãçµç¹ãšã¢ããªã±ãŒã·ã§ã³ãäœæããå¿ èŠããããŸãã
ã芧ã®ãšãããIQ ã®å Žåã®ã»ããã¢ããã¯ããè€éã§ããããã¯ãããŸããŸãªãã¹ããŒãžã (éçºããã«ããã¹ããŒãžããªãªãŒã¹) ã«é©çšã§ããããªã·ãŒãäœæããå¿
èŠãããããã§ãã ããã¯ãè匱ãªã³ã³ããŒãã³ããå®çšŒåã«è¿ã¥ããã€ãã©ã€ã³ãééãããšãã«ãããã¯ããããããŸãã¯éçºè
ãããŠã³ããŒãã㊠Nexus ãªããžããªã«å
¥ããšåæã«ãããã¯ããããã«å¿
èŠã§ãã
ãªãŒãã³ãœãŒã¹ãšãšã³ã¿ãŒãã©ã€ãºã®éããæããããã«ãNexus IQ ã§åãã¹ãã£ã³ãåãæ¹æ³ã§å®è¡ããŠã¿ãŸãããã dvja-test-and-compare
:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
IQ Web ã€ã³ã¿ãŒãã§ã€ã¹ã§çæãããã¬ããŒããžã® URL ããã©ããŸãã
ããã§ã¯ãããŸããŸãªéèŠåºŠã¬ãã« (æ
å ±ããã»ãã¥ãªã㣠ã¯ãªãã£ã«ã«ãŸã§) ã瀺ããã¹ãŠã®ããªã·ãŒéåã確èªã§ããŸãã ã³ã³ããŒãã³ãã®é£ã®æå D ã¯ãã³ã³ããŒãã³ããçŽæ¥äŸåé¢ä¿ã§ããããšãæå³ããã³ã³ããŒãã³ãã®é£ã®æå T ã¯ãã³ã³ããŒãã³ããæšç§»çäŸåé¢ä¿ãã€ãŸãæšç§»çã§ããããšãæå³ããŸãã
ã¡ãªã¿ã«ã¬ããŒãã¯
Nexus IQ ããªã·ãŒéåã® XNUMX ã€ãéããšãã³ã³ããŒãã³ãã®èª¬æãšãæéã°ã©ãå ã®çŸåšã®ããŒãžã§ã³ã®äœçœ®ãããã³è匱æ§ãåæ¢ããæç¹ã瀺ãããŒãžã§ã³ ã°ã©ãã衚瀺ãããŸããè匱ã«ãªãã ã°ã©ãäžã®ããŒãœã¯è¶³ã®é«ãã¯ããã®ã³ã³ããŒãã³ãã®äœ¿çšã®äººæ°ã瀺ããŸãã
è匱æ§ã»ã¯ã·ã§ã³ã«ç§»åã㊠CVE ãå±éãããšããã®è匱æ§ã®èª¬æãåé€ã®æšå¥šäºé
ãããã³ãã®ã³ã³ããŒãã³ããéåãããçç±ãã€ãŸãã¯ã©ã¹ã®ååšãèªãããšãã§ããŸãã DiskFileitem.class
.
js ã³ã³ããŒãã³ããåé€ããŠããµãŒãããŒã㣠Java ã³ã³ããŒãã³ãã«é¢é£ãããã®ã ãããŸãšããŠã¿ãŸãããã æ¬åŒ§å
ã¯ãNVD ã®å€éšã§èŠã€ãã£ãè匱æ§ã®æ°ã瀺ããŠããŸãã
åèšãã¯ãµã¹ IQ:
- ã¹ãã£ã³ãããäŸåé¢ä¿: 62
- è匱ãªäŸåé¢ä¿: 16
- èŠã€ãã£ãè匱æ§: 42 (8 sonatype db)
ç·äŸåæ§ãã§ãã¯:
- ã¹ãã£ã³ãããäŸåé¢ä¿: 47
- è匱ãªäŸåé¢ä¿: 13
- èŠã€ãã£ãè匱æ§: 91 (14 sonatype oss)
åèšäŸåé¢ä¿ãã©ãã¯:
- ã¹ãã£ã³ãããäŸåé¢ä¿: 59
- è匱ãªäŸåé¢ä¿: 10
- èŠã€ãã£ãè匱æ§: 51 (1 sonatype oss)
次ã®ã¹ãããã§ã¯ãåŸãããçµæãåæãããããã®è匱æ§ã®ã©ããå®éã®æ¬ é¥ã§ã©ãã誀æ€ç¥ã§ããããç¹å®ããŸãã
å 責äºé
ãã®ã¬ãã¥ãŒã¯è°è«ã®äœå°ã®ãªãçå®ã§ã¯ãããŸããã èè ã«ã¯ãä»ã®æ¥œåšãèæ¯ã«ããŠå¥ã®æ¥œåšã匷調ãããšããç®æšã¯ãããŸããã§ããã ã¬ãã¥ãŒã®ãã€ã³ãã¯ãSCA ããŒã«ã®åäœã¡ã«ããºã ãšãã®çµæã確èªããæ¹æ³ã瀺ãããšã§ããã
çµæã®æ¯èŒ
å©çšèŠçŽïŒ
ãµãŒãããŒãã£ã³ã³ããŒãã³ãã®è匱æ§ã®èª€æ€ç¥ã¯æ¬¡ã®ãšããã§ãã
- ç¹å®ãããã³ã³ããŒãã³ãã«å¯Ÿãã CVE ã®äžäžèŽ
- ããšãã°ãstruts2 ãã¬ãŒã ã¯ãŒã¯ã§è匱æ§ãç¹å®ãããããŒã«ããã®è匱æ§ãé©çšãããªã struts-tiles ãã¬ãŒã ã¯ãŒã¯ã®ã³ã³ããŒãã³ããæããŠããå Žåãããã¯èª€æ€ç¥ã§ãã
- CVE ãã³ã³ããŒãã³ãã®èå¥ãããããŒãžã§ã³ãšäžèŽããŸãã
- ããšãã°ããã®è匱æ§ã¯ Python ããŒãžã§ã³ 3.5 以éã«é¢é£ä»ããããŠãããããŒã«ã¯ããŒãžã§ã³ 2.7 ãè匱ãšããŠããŒã¯ããŸããå®éã«ã¯ããã®è匱æ§ã¯ 3.x 補åãã©ã³ãã«ã®ã¿é©çšããããããããã¯èª€æ€ç¥ã§ãã
- éè€ãã CVE
- ããšãã°ãSCA ã RCE ãæå¹ã«ãã CVE ãæå®ããå ŽåãSCA ã¯ããã® RCE ã®åœ±é¿ãåããã·ã¹ã³è£œåã«é©çšãããåãã³ã³ããŒãã³ãã® CVE ãæå®ããŸãã ãã®å Žåãåœéœæ§ãšãªããŸãã
- ããšãã°ãCVE ã spring-web ã³ã³ããŒãã³ãã§èŠã€ãã£ãåŸãSCA 㯠Spring Framework ã®ä»ã®ã³ã³ããŒãã³ãã®åã CVE ãæããŸãããCVE ã¯ä»ã®ã³ã³ããŒãã³ããšã¯äœã®é¢ä¿ããããŸããã ãã®å Žåãåœéœæ§ãšãªããŸãã
ç 究ã®å¯Ÿè±¡ãšãªã£ãã®ã¯ããªãŒãã³ãœãŒã¹ ãããžã§ã¯ã DVJA ã§ãã ãã®èª¿æ»ã«ã¯ Java ã³ã³ããŒãã³ãã®ã¿ (js ã¯å«ãŸããŸãã) ãå«ãŸããŠããŸããã
éèšçµæ
ç¹å®ãããè匱æ§ãæåã§ã¬ãã¥ãŒããçµæã«çŽæ¥è¡ããŸãããã å CVE ã®å®å šãªã¬ããŒãã¯ä»é²ã«ãããŸãã
ãã¹ãŠã®è匱æ§ã®çµæã®èŠçŽ:
ãã©ã¡ãŒã¿ãŒ
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
ç¹å®ãããè匱æ§ã®ç·æ°
42
91
51
誀ã£ãŠèå¥ãããèåŒ±æ§ (誀æ€ç¥)
2ïŒ4.76ïŒ
ïŒ
62ïŒ68,13ïŒ
ïŒ
29ïŒ56.86ïŒ
ïŒ
é¢é£ããè匱æ§ã¯èŠã€ãããŸããã§ãã (åœé°æ§)
10
20
27
ã³ã³ããŒãã³ãããšã®èŠçŽçµæ:
ãã©ã¡ãŒã¿ãŒ
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
ç¹å®ãããåèšã³ã³ããŒãã³ã
62
47
59
è匱ãªã³ã³ããŒãã³ãã®åèš
16
13
10
è匱ãªã³ã³ããŒãã³ãã誀ã£ãŠèå¥ããã (誀æ€ç¥)
1
5
0
è匱ãªã³ã³ããŒãã³ãã誀ã£ãŠèå¥ããã (誀æ€ç¥)
0
6
6
èŠèŠçãªã°ã©ããäœæããŠãè匱æ§ã®ç·æ°ã«å¯Ÿããåœéœæ§ãšåœé°æ§ã®æ¯çãè©äŸ¡ããŠã¿ãŸãããã ã³ã³ããŒãã³ãã¯æ°Žå¹³æ¹åã«ããŒã¯ãããã³ã³ããŒãã³ãå ã§ç¹å®ãããè匱æ§ã¯åçŽæ¹åã«ããŒã¯ãããŸãã
æ¯èŒã®ããã«ãSonatype ããŒã ã«ãã£ãŠåæ§ã®èª¿æ»ãå®æœãããOWASP äŸåé¢ä¿ãã§ãã¯ã䜿çšã㊠1531 ã³ã³ããŒãã³ãã®ãããžã§ã¯ãããã¹ããããŸããã ã芧ã®ãšãããæ£ããå¿çã«å¯Ÿãããã€ãºã®æ¯çã¯ãçµæãšåçã§ãã
åºæïŒ
ãã®ãããªçµæã®çç±ãç解ããããã«ãã¹ãã£ã³çµæããããã€ãã® CVE ãèŠãŠã¿ãŸãããã
ãã£ãš
â1
ãŸã㯠Sonatype Nexus IQ ã«é¢ããèå³æ·±ãç¹ãããã€ãèŠãŠã¿ãŸãããã
Nexus IQ ã¯ãSpring Framework 㧠RCE ãè€æ°åå®è¡ããæ©èœã«ãããã·ãªã¢ã©ã€ãŒãŒã·ã§ã³ã®åé¡ãææããŠããŸãã spring-web:2016 ã®ååã§ã¯ CVE-1000027-3.0.5ãspring-context:2011 ããã³ spring-core:2894 ã§ã¯ CVE-3.0.5-3.0.5ã æåã¯ãè€æ°ã® CVE ã«ããã£ãŠè匱æ§ãéè€ããŠããããã«èŠããŸãã NVD ããŒã¿ããŒã¹ã® CVE-2016-1000027 ãš CVE-2011-2894 ãèŠããšããã¹ãŠãæããã§ããããã«èŠããããã§ãã
ã³ã³ããŒãã³ã
è匱æ§
ã¹ããªã³ã°ãŠã§ã:3.0.5
CVE-2016-1000027
ã¹ããªã³ã°ã³ã³ããã¹ã:3.0.5
CVE-2011-2894
ã¹ããªã³ã°ã³ã¢:3.0.5
CVE-2011-2894
説æ
説æ
CVE-2011-2894èªäœã¯ããªãæåã§ãã å ±åæžã®äžã§ RemoteInvocationSerializingExporter
CVE-2011-2894 ã§ã¯ãè匱æ§ã確èªãããŠããŸãã HttpInvokerServiceExporter
ã Nexus IQ ããã¯æ¬¡ã®ããšãããããŸãã
ãã ããNVD ã«ã¯ãã®ãããªããšã¯äœããªããããäŸåé¢ä¿ãã§ãã¯ãšäŸåé¢ä¿ãã©ãã¯ã¯ããããåœé°æ§ãåãåããŸãã
ãŸããCVE-2011-2894 ã®èª¬æããããã®è匱æ§ã spring-context:3.0.5 ãš spring-core:3.0.5 ã®äž¡æ¹ã«å®éã«ååšããããšãããããŸãã ããã«ã€ããŠã¯ããã®è匱æ§ãçºèŠãã人ã®èšäºã§ç¢ºèªã§ããŸãã
â2
ã³ã³ããŒãã³ã
è匱æ§
çµæ
struts2-core:2.3.30
CVE-2016-4003
ééã£ãæ
å ±
èåŒ±æ§ CVE-2016-4003 ã調æ»ãããšããã®è匱æ§ã¯ããŒãžã§ã³ 2.3.28 ã§ä¿®æ£ãããããšãããããŸãããNexus IQ ããããå ±åããŠããŸãã è匱æ§ã®èª¬æã«ã¯æ¬¡ã®ãããªæ³šèšããããŸãã
ã€ãŸãããã®è匱æ§ã¯å€ãããŒãžã§ã³ã® JRE ã«é¢é£ããŠã®ã¿ååšããããã«ã€ããŠèŠåããããšã決å®ããŸããã ããã§ããææªã§ã¯ãããŸããããããã¯èª€æ€ç¥ã§ãããšèããããŸãã
â3
ã³ã³ããŒãã³ã
è匱æ§
çµæ
xwork-core:2.3.30
CVE-2017-9804
TRUE
xwork-core:2.3.30
CVE-2017-7672
ééã£ãæ
å ±
CVE-2017-9804 ãš CVE-2017-7672 ã®èª¬æãèŠããšãåé¡ã¯æ¬¡ã®ãšããã§ããããšãããããŸãã URLValidator class
ãCVE-2017-9804 ãã掟çãã CVE-2017-7672 ã§ãã XNUMX çªç®ã®è匱æ§ã®ååšã¯ãé倧床ãé«ã«å¢å ãããšããäºå®ä»¥å€ã«æçãªè² è·ããããããã®ã§ã¯ãªããããäžèŠãªãã€ãºãšèããããšãã§ããŸãã
å šäœãšããŠãNexus IQ ã§ã¯ä»ã®èª€æ€ç¥ã¯èŠã€ãããŸããã§ããã
â4
IQ ãä»ã®ãœãªã¥ãŒã·ã§ã³ãšæ¯ã¹ãŠåªããŠããç¹ãããã€ããããŸãã
ã³ã³ããŒãã³ã
è匱æ§
çµæ
ã¹ããªã³ã°ãŠã§ã:3.0.5
CVE-2020-5398
TRUE
NVD ã® CVE ã§ã¯ãNexus IQ ã® CVE ã®èª¬æãèŠããšãããŒãžã§ã³ 5.2 ããåã®ããŒãžã§ã³ 5.2.3.xã5.1 ããåã® 5.1.13.xãããã³ 5.0 ããåã®ããŒãžã§ã³ 5.0.16.x ã«ã®ã¿é©çšããããšèšèŒãããŠããŸãã , ãããšã次ã®ããã«ãªããŸãã
ã¢ããã€ã¶ãªããã®éžè±ã«é¢ããéç¥: Sonatype ã»ãã¥ãªãã£ç 究ããŒã ã¯ããã®è匱æ§ãã¢ããã€ã¶ãªã«èšèŒãããŠãã 3.0.2.x ã§ã¯ãªããããŒãžã§ã³ 5.0.RELEASE ã§å°å
¥ãããããšãçºèŠããŸããã
ããã«ç¶ããŠããã®è匱æ§ã® PoC ãå ¬éããããã®è匱æ§ã¯ããŒãžã§ã³ 3.0.5 ã«ååšãããšè¿°ã¹ãããŠããŸãã
åœé°æ§ã¯äŸåé¢ä¿ãã§ãã¯ãšäŸåé¢ä¿è¿œè·¡ã«éä¿¡ãããŸãã
â5
äŸåé¢ä¿ãã§ãã¯ãšäŸåé¢ä¿ãã©ãã¯ã®èª€æ€ç¥ãèŠãŠã¿ãŸãããã
äŸåé¢ä¿ãã§ãã¯ã¯ãNVD ã®ãã¬ãŒã ã¯ãŒã¯å šäœã«é©çšããã CVE ãããããã® CVE ãé©çšãããªãã³ã³ããŒãã³ãã«åæ ãããšããç¹ã§éç«ã£ãŠããŸãã ããã¯ãäŸåé¢ä¿ãã§ãã¯ãã倱æãããCVE-2012-0394ãCVE-2013-2115ãCVE-2014-0114ãCVE-2015-0899ãCVE-2015-2992ãCVE-2016-1181ãCVE-2016-1182 ã«é¢ä¿ããŸãã â ã struts-taglib:1.3.8 ããã³ struts-tiles-1.3.8 ã«è¿œå ããŸãã ãããã®ã³ã³ããŒãã³ãã¯ãCVE ã§èª¬æãããŠããå 容 (ãªã¯ãšã¹ãåŠçãããŒãžæ€èšŒãªã©) ãšã¯äœã®é¢ä¿ããããŸããã ããã¯ããããã® CVE ãšã³ã³ããŒãã³ãã«å ±éããŠããã®ã¯ãã¬ãŒã ã¯ãŒã¯ã®ã¿ã§ãããšããäºå®ã«ãããã®ã§ãããäŸåé¢ä¿ãã§ãã¯ã§ã¯ãããè匱æ§ãšèŠãªããŸããã
spring-tx:3.0.5 ã§ãåãç¶æ³ãçºçããstruts-core:1.3.8 ã§ãåæ§ã®ç¶æ³ãçºçããŸãã struts-core ã®å ŽåãäŸåé¢ä¿ãã§ãã¯ãšäŸåé¢ä¿è¿œè·¡ã«ãããæ¬è³ªçã«ã¯å¥ã®ãã¬ãŒã ã¯ãŒã¯ã§ãã struts2-core ã«å®éã«è©²åœããè匱æ§ãå€æ°çºèŠãããŸããã ãã®å ŽåãNexus IQ ã¯ç¶æ³ãæ£ããç解ããçºè¡ãã CVE ã§ãstruts-core ã寿åœã«éããstruts2-core ã«ç§»è¡ããå¿ èŠãããããšã瀺ããŸããã
â6
ç¶æ³ã«ãã£ãŠã¯ãæãããªäŸåé¢ä¿ãã§ãã¯ããã³äŸåé¢ä¿è¿œè·¡ãšã©ãŒã解éããã®ã¯äžå ¬å¹³ã§ãã ç¹ã« CVE-2013-4152ãCVE-2013-6429ãCVE-2013-6430ãCVE-2013-7315ãCVE-2014-0054ãCVE-2014-0225ãCVE-2014-0225ãäŸåé¢ä¿ãã§ãã¯ãšäŸåé¢ä¿è¿œè·¡spring-core:3.0.5 ã«å±ããŸãããå®éã«ã¯ spring-web:3.0.5 ã«å±ããŸãã åæã«ããããã® CVE ã®äžéšã¯ Nexus IQ ã«ãã£ãŠãæ€åºãããŸããããIQ ã¯ããããå¥ã®ã³ã³ããŒãã³ããšããŠæ£ããèå¥ããŸããã ãããã®è匱æ§ã¯ spring-core ã§ã¯çºèŠãããªãã£ããããåççã«ã¯ãã¬ãŒã ã¯ãŒã¯ã«å«ãŸããŠããªããšã¯èšããããªãŒãã³ãœãŒã¹ ããŒã«ã¯ãããã®è匱æ§ãæ£ããææããŸãã (ã»ãã®å°ãèŠéããã ãã§ã)ã
æèŠ
ã芧ã®ãšãããç¹å®ãããè匱æ§ã®ä¿¡é Œæ§ãæåã¬ãã¥ãŒã§å€æããŠãæ確ãªçµæãåŸãããªããããç©è°ãéžãåé¡ãçºçããŸãã ãã®çµæãNexus IQ ãœãªã¥ãŒã·ã§ã³ã¯èª€æ€ç¥çãæãäœãã粟床ãæãé«ãããšãããããŸããã
ãŸã第äžã«ããã㯠Sonatype ããŒã ãããŒã¿ããŒã¹å ã® NVD ã®å CVE è匱æ§ã®èª¬æãæ¡åŒµããã³ã³ããŒãã³ãã®ç¹å®ã®ããŒãžã§ã³ã®è匱æ§ãã¯ã©ã¹ãŸãã¯æ©èœã«ãŸã§ç€ºããè¿œå ã®èª¿æ»ãå®æœãããšããäºå®ã«ãããã®ã§ã (ããšãã°ã ãå€ããœãããŠã§ã¢ ããŒãžã§ã³ã®è匱æ§ããã§ãã¯ããŸãïŒã
NVD ã«ã¯å«ãŸããŠããªããã®ã®ãSONATYPE ããŒã¯ãä»ãã Sonatype ããŒã¿ããŒã¹ã«ååšããè匱æ§ããçµæã«éèŠãªåœ±é¿ãåãŒããŸãã å ±åæžã«ãããš
ãã®çµæãäŸåé¢ä¿ãã§ãã¯ã¯å€§éã®ãã€ãºãçæããããã€ãã®è匱ãªã³ã³ããŒãã³ããæ¬ èœããŸãã dependency track ã¯çæãããã€ãºãå°ãªããå€æ°ã®ã³ã³ããŒãã³ããæ€åºãããããWeb ã€ã³ã¿ãŒãã§ã€ã¹ã§èŠèŠçã«ç®ãçããããšã¯ãããŸããã
ããããå®éã«ã¯ããªãŒãã³ãœãŒã¹ãæçãã DevSecOps ãžã®ç¬¬äžæ©ãšãªãããšã瀺ãããŠããŸãã SCA ãéçºã«çµã¿èŸŒããšãã«æåã«èããã¹ãããšã¯ããã»ã¹ã§ããã€ãŸããçµç¹ã«ãããçæ³çãªããã»ã¹ãã©ã®ãããªãã®ã§ããããçµå¶å±€ãé¢é£éšéãšãšãã«èããããšã§ãã çµç¹ã«ãšã£ãŠãæåã¯äŸåé¢ä¿ãã§ãã¯ãŸãã¯äŸåé¢ä¿è¿œè·¡ããã¹ãŠã®ããžãã¹ ããŒãºãã«ããŒããéçºäžã®ã¢ããªã±ãŒã·ã§ã³ã®è€éããå¢ãããããšã³ã¿ãŒãã©ã€ãº ãœãªã¥ãŒã·ã§ã³ãè«ççãªç¶ç¶ãšãªãããšãå€æããå ŽåããããŸãã
ä»é² A: ã³ã³ããŒãã³ãã®çµæ
ã·ã³ãã«ïŒ
- é« - ã³ã³ããŒãã³ãå ã®é«ã¬ãã«ããã³é倧ã¬ãã«ã®è匱æ§
- äž - ã³ã³ããŒãã³ãå ã®é倧床ã¬ãã«ãäžçšåºŠã®è匱æ§
- TRUE â çéœæ§ã®åé¡
- FALSE â 誀æ€ç¥ã®åé¡
ã³ã³ããŒãã³ã
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
çµæ
dom4j: 1.6.1
ãã€
ãã€
ãã€
TRUE
log4jã³ã¢: 2.3
ãã€
ãã€
ãã€
TRUE
log4j: 1.2.14
ãã€
ãã€
-
TRUE
ã³ã¢ã³ãºã³ã¬ã¯ã·ã§ã³:3.1
ãã€
ãã€
ãã€
TRUE
ã³ã¢ã³ãºãã¡ã€ã«ã¢ããããŒã:1.3.2
ãã€
ãã€
ãã€
TRUE
commons-beanutils:1.7.0
ãã€
ãã€
ãã€
TRUE
ã³ã¢ã³ãºã³ãŒããã¯:1:10
M
-
-
TRUE
mysql-connector-java:5.1.42
ãã€
ãã€
ãã€
TRUE
ã¹ããªã³ã°åŒ:3.0.5
ãã€
ã³ã³ããŒãã³ããèŠã€ãããŸãã
TRUE
ã¹ããªã³ã°ãŠã§ã:3.0.5
ãã€
ã³ã³ããŒãã³ããèŠã€ãããŸãã
ãã€
TRUE
ã¹ããªã³ã°ã³ã³ããã¹ã:3.0.5
M
ã³ã³ããŒãã³ããèŠã€ãããŸãã
-
TRUE
ã¹ããªã³ã°ã³ã¢:3.0.5
M
ãã€
ãã€
TRUE
struts2-config-browser-plugin:2.3.30
M
-
-
TRUE
ã¹ããªã³ã°TX:3.0.5
-
ãã€
-
ééã£ãæ
å ±
ã¹ãã©ããã³ã¢:1.3.8
ãã€
ãã€
ãã€
TRUE
xworkã³ã¢: 2.3.30
ãã€
-
-
TRUE
struts2-core: 2.3.30
ãã€
ãã€
ãã€
TRUE
struts-taglib:1.3.8
-
ãã€
-
ééã£ãæ
å ±
ã¹ãã©ããã¿ã€ã«-1.3.8
-
ãã€
-
ééã£ãæ
å ±
ä»é² B: è匱æ§ã®çµæ
ã·ã³ãã«ïŒ
- é« - ã³ã³ããŒãã³ãå ã®é«ã¬ãã«ããã³é倧ã¬ãã«ã®è匱æ§
- äž - ã³ã³ããŒãã³ãå ã®é倧床ã¬ãã«ãäžçšåºŠã®è匱æ§
- TRUE â çéœæ§ã®åé¡
- FALSE â 誀æ€ç¥ã®åé¡
ã³ã³ããŒãã³ã
ãã¯ãµã¹ IQ
äŸåé¢ä¿ã®ãã§ãã¯
äŸåé¢ä¿ã®è¿œè·¡
é倧床
çµæ
ã³ã¡ã³ã
dom4j: 1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
ãã€
TRUE
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
ãã€
TRUE
log4jã³ã¢: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
ãã€
TRUE
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
ããŒ
TRUE
log4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
-
ãã€
TRUE
-
CVE-2020-9488
-
ããŒ
TRUE
SONATYPE-2010-0053
-
-
ãã€
TRUE
ã³ã¢ã³ãºã³ã¬ã¯ã·ã§ã³:3.1
-
CVE-2015-6420
CVE-2015-6420
ãã€
ééã£ãæ
å ±
éè€ RCE(OSSINDEX)
-
CVE-2017-15708
CVE-2017-15708
ãã€
ééã£ãæ
å ±
éè€ RCE(OSSINDEX)
SONATYPE-2015-0002
RCE (OSSINDEX)
RCE(ãªã·ã³ã€ã³ããã¯ã¹)
ãã€
TRUE
ã³ã¢ã³ãºãã¡ã€ã«ã¢ããããŒã:1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
ãã€
TRUE
SONATYPE-2014-0173
-
-
M
TRUE
commons-beanutils:1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
ãã€
TRUE
-
CVE-2019-10086
CVE-2019-10086
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ããŒãžã§ã³ 1.9.2 以éã«ã®ã¿é©çšãããŸãã
ã³ã¢ã³ãºã³ãŒããã¯:1:10
SONATYPE-2012-0050
-
-
M
TRUE
mysql-connector-java:5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
ãã€
TRUE
CVE-2019-2692
CVE-2019-2692
-
M
TRUE
-
CVE-2020-2875
-
M
ééã£ãæ
å ±
CVE-2019-2692 ãšåãè匱æ§ã§ããããæ»æã¯è¿œå ã®è£œåã«é倧ãªåœ±é¿ãäžããå¯èœæ§ãããããšãã泚èšãä»ããŠããŸãã
-
CVE-2017-15945
-
ãã€
ééã£ãæ
å ±
mysql-connector-java ã«ã¯é¢ä¿ãããŸãã
-
CVE-2020-2933
-
ããŒ
ééã£ãæ
å ±
CVE-2020-2934 ã®éè€
CVE-2020-2934
CVE-2020-2934
-
M
TRUE
ã¹ããªã³ã°åŒ:3.0.5
CVE-2018-1270
ã³ã³ããŒãã³ããèŠã€ãããŸãã
-
ãã€
TRUE
CVE-2018-1257
-
-
M
TRUE
ã¹ããªã³ã°ãŠã§ã:3.0.5
CVE-2016-1000027
ã³ã³ããŒãã³ããèŠã€ãããŸãã
-
ãã€
TRUE
CVE-2014-0225
-
CVE-2014-0225
ãã€
TRUE
CVE-2011-2730
-
-
ãã€
TRUE
-
-
CVE-2013-4152
M
TRUE
CVE-2018-1272
-
-
ãã€
TRUE
CVE-2020-5398
-
-
ãã€
TRUE
IQ ãæ¯æããå
·äœäŸ: ãSonatype ã»ãã¥ãªãã£ç 究ããŒã ã¯ããã®è匱æ§ãå§åã«èšèŒãããŠãã 3.0.2.x ã§ã¯ãªããããŒãžã§ã³ 5.0.RELEASE ã§å°å
¥ãããããšãçºèŠããŸãããã
CVE-2013-6429
-
-
M
TRUE
CVE-2014-0054
-
CVE-2014-0054
M
TRUE
CVE-2013-6430
-
-
M
TRUE
ã¹ããªã³ã°ã³ã³ããã¹ã:3.0.5
CVE-2011-2894
ã³ã³ããŒãã³ããèŠã€ãããŸãã
-
M
TRUE
ã¹ããªã³ã°ã³ã¢:3.0.5
-
CVE-2011-2730
CVE-2011-2730
ãã€
TRUE
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
M
TRUE
-
-
CVE-2013-4152
M
ééã£ãæ
å ±
spring-web ã«ããåãè匱æ§ã®è€è£œ
-
CVE-2013-4152
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2013-6429
CVE-2013-6429
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2013-6430
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2013-7315
CVE-2013-7315
M
ééã£ãæ
å ±
CVE-2013-4152 ããã®åå²ã + è匱æ§ã¯ spring-web ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2014-0054
CVE-2014-0054
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2014-0225
-
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
-
CVE-2014-0225
ãã€
ééã£ãæ
å ±
spring-web ã«ããåãè匱æ§ã®è€è£œ
-
CVE-2014-1904
CVE-2014-1904
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web-mvc ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2014-3625
CVE-2014-3625
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web-mvc ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2016-9878
CVE-2016-9878
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web-mvc ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2018-1270
CVE-2018-1270
ãã€
ééã£ãæ
å ±
æ¥ã®è¡šçŸã»æ¥ã®ã¡ãã»ãŒãžã®å Žå
-
CVE-2018-1271
CVE-2018-1271
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-web-mvc ã³ã³ããŒãã³ãã«é¢é£ããŠããŸã
-
CVE-2018-1272
CVE-2018-1272
ãã€
TRUE
CVE-2014-3578
CVE-2014-3578 (OSSINDEX)
CVE-2014-3578
M
TRUE
SONATYPE-2015-0327
-
-
ããŒ
TRUE
struts2-config-browser-plugin:2.3.30
SONATYPE-2016-0104
-
-
M
TRUE
ã¹ããªã³ã°TX:3.0.5
-
CVE-2011-2730
-
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2011-2894
-
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2013-4152
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2013-6429
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2013-6430
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2013-7315
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2014-0054
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2014-0225
-
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2014-1904
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2014-3625
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2016-9878
-
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2018-1270
-
ãã€
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2018-1271
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
-
CVE-2018-1272
-
M
ééã£ãæ
å ±
ãã®è匱æ§ã¯ spring-tx ã«åºæã®ãã®ã§ã¯ãããŸãã
ã¹ãã©ããã³ã¢:1.3.8
-
CVE-2011-5057 (OSSINDEX)
M
ãã¡ã¹ã¬
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2012-0391 (OSSINDEX)
CVE-2012-0391
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2014-0094 (OSSINDEX)
CVE-2014-0094
M
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2014-0113 (OSSINDEX)
CVE-2014-0113
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
CVE-2016-1182
3VE-2016-1182
-
ãã€
TRUE
-
-
CVE-2011-5057
M
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2012-0392 (OSSINDEX)
CVE-2012-0392
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2012-0393 (OSSINDEX)
CVE-2012-0393
M
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
CVE-2015-0899
CVE-2015-0899
-
ãã€
TRUE
-
CVE-2012-0394
CVE-2012-0394
M
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2012-0838 (OSSINDEX)
CVE-2012-0838
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2013-1965 (OSSINDEX)
CVE-2013-1965
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2013-1966 (OSSINDEX)
CVE-2013-1966
ãã€
ãã¡ã¹ã¬
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2013-2115
CVE-2013-2115
ãã€
ãã¡ã¹ã¬
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2013-2134 (OSSINDEX)
CVE-2013-2134
ãã€
ãã¡ã¹ã¬
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2013-2135 (OSSINDEX)
CVE-2013-2135
ãã€
ãã¡ã¹ã¬
Struts 2 ã«å¯Ÿããè匱æ§
CVE-2014-0114
CVE-2014-0114
-
ãã€
TRUE
-
CVE-2015-2992
CVE-2015-2992
M
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
-
CVE-2016-0785 (OSSINDEX)
CVE-2016-0785
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
CVE-2016-1181
CVE-2016-1181
-
ãã€
TRUE
-
CVE-2016-4003 (OSSINDEX)
CVE-2016-4003
ãã€
ééã£ãæ
å ±
Struts 2 ã«å¯Ÿããè匱æ§
xwork-core:2.3.30
CVE-2017-9804
-
-
ãã€
TRUE
SONATYPE-2017-0173
-
-
ãã€
TRUE
CVE-2017-7672
-
-
ãã€
ééã£ãæ
å ±
CVE-2017-9804 ã®éè€
SONATYPE-2016-0127
-
-
ãã€
TRUE
struts2-core:2.3.30
-
CVE-2016-6795
CVE-2016-6795
ãã€
TRUE
-
CVE-2017-9787
CVE-2017-9787
ãã€
TRUE
-
CVE-2017-9791
CVE-2017-9791
ãã€
TRUE
-
CVE-2017-9793
-
ãã€
ééã£ãæ
å ±
CVE-2018-1327 ã®éè€
-
CVE-2017-9804
-
ãã€
TRUE
-
CVE-2017-9805
CVE-2017-9805
ãã€
TRUE
CVE-2016-4003
-
-
M
ééã£ãæ
å ±
Apache Struts 2.x ãã 2.3.28 (ããŒãžã§ã³ 2.3.30) ãŸã§ã«é©çšãããŸãã ãã ãã説æã«ãããšãJRE 2 以äžã䜿çšãããŠããå ŽåãCVE 㯠Struts 1.7 ã®ã©ã®ããŒãžã§ã³ã§ãæå¹ã§ãã ã©ããã圌ãã¯ããã§ç§ãã¡ã«åä¿éºããããããšã«æ±ºããããã§ãããããã¯ãããåã®ããã§ã
-
CVE-2018-1327
CVE-2018-1327
ãã€
TRUE
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
ãã€
TRUE
2017 幎㫠Equifax ããã«ãŒãæªçšããã®ãšåãè匱æ§
CVE-2017-12611
CVE-2017-12611
-
ãã€
TRUE
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
ãã€
TRUE
struts-taglib:1.3.8
-
CVE-2012-0394
-
M
ééã£ãæ
å ±
ã¹ãã©ããçš2è¯
-
CVE-2013-2115
-
ãã€
ééã£ãæ
å ±
ã¹ãã©ããçš2è¯
-
CVE-2014-0114
-
ãã€
ééã£ãæ
å ±
ã³ã¢ã³ãº-beanutilsã®å Žå
-
CVE-2015-0899
-
ãã€
ééã£ãæ
å ±
ã¿ã°ãªãã«ã¯é©çšãããŸãã
-
CVE-2015-2992
-
M
ééã£ãæ
å ±
struts2-core ãåç
§ããŸã
-
CVE-2016-1181
-
ãã€
ééã£ãæ
å ±
ã¿ã°ãªãã«ã¯é©çšãããŸãã
-
CVE-2016-1182
-
ãã€
ééã£ãæ
å ±
ã¿ã°ãªãã«ã¯é©çšãããŸãã
ã¹ãã©ããã¿ã€ã«-1.3.8
-
CVE-2012-0394
-
M
ééã£ãæ
å ±
ã¹ãã©ããçš2è¯
-
CVE-2013-2115
-
ãã€
ééã£ãæ
å ±
ã¹ãã©ããçš2è¯
-
CVE-2014-0114
-
ãã€
ééã£ãæ
å ±
commons-beanutils ã®äžã§
-
CVE-2015-0899
-
ãã€
ééã£ãæ
å ±
ã¿ã€ã«ã«ã¯é©çšãããŸãã
-
CVE-2015-2992
-
M
ééã£ãæ
å ±
ã¹ãã©ããçš2è¯
-
CVE-2016-1181
-
ãã€
ééã£ãæ
å ±
ã¿ã°ãªãã«ã¯é©çšãããŸãã
-
CVE-2016-1182
-
ãã€
ééã£ãæ
å ±
ã¿ã°ãªãã«ã¯é©çšãããŸãã
åºæïŒ habr.com