Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change blossom-ci to ACL security format [skip ci] #1706

Merged
merged 2 commits into from
Jun 24, 2024
Merged

change blossom-ci to ACL security format [skip ci] #1706

merged 2 commits into from
Jun 24, 2024

Conversation

YanxuanLiu
Copy link
Collaborator

Requested by security to prevent DDOS. The new format is provided by blossom team.

@YanxuanLiu
change to acl format
1ab90bb 
Signed-off-by: YanxuanLiu <[email protected]>
@YanxuanLiu YanxuanLiu requested review from pxLi, Nic-Ma and tangy5 June 13, 2024 03:07
@YanxuanLiu YanxuanLiu self-assigned this Jun 13, 2024
@YanxuanLiu
Copy link
Collaborator Author

/build

@github-actions GitHub Actions
Copy link

👎 Promotion blocked, new vulnerability found

Vulnerability report

Component Vulnerability Description Severity
Apache Ivy CVE-2022-46751 Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
|HIGH
Netty Project|CVE-2023-34462|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM
Netty Project|CVE-2023-44487|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH

@YanxuanLiu YanxuanLiu requested a review from KumoLiu June 13, 2024 03:17
@YanxuanLiu
Copy link
Collaborator Author

/build

@github-actions GitHub Actions
Copy link

👎 Promotion blocked, new vulnerability found

Vulnerability report

Component Vulnerability Description Severity
Apache Ivy CVE-2022-46751 Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
|HIGH
Netty Project|CVE-2023-34462|Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.|MEDIUM
Netty Project|CVE-2023-44487|The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.|HIGH

@pxLi
Copy link
Collaborator

pxLi commented Jun 24, 2024

@YanxuanLiu please add the item to internal exception list and retry thanks

@Nic-Ma
Copy link

Nic-Ma commented Jun 24, 2024 via email

@Nic-Ma
Copy link

Nic-Ma commented Jun 24, 2024 via email

@YanxuanLiu
Copy link
Collaborator Author

/build

@github-actions GitHub Actions
Copy link

👎 Promotion blocked, new vulnerability found

Vulnerability report

Component Vulnerability Description Severity
Netty Project CVE-2023-34462 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final. MEDIUM
Netty Project CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. HIGH

@Nic-Ma
Copy link

Nic-Ma commented Jun 24, 2024 via email

@YanxuanLiu
Copy link
Collaborator Author

/build

@YanxuanLiu
Copy link
Collaborator Author

@Nic-Ma I've added the vulnerabilities to exception list. But there is still failure of build(3.11) workflow, which blocks merging PR. Could you help to check the failure?

@Nic-Ma
Copy link

Nic-Ma commented Jun 24, 2024

ping @KumoLiu

Thanks.

@KumoLiu
Copy link
Contributor

KumoLiu commented Jun 24, 2024

@YanxuanLiu I have rerun the job, it works well now.

@tangy5 tangy5 merged commit fc9b567 into Project-MONAI:main Jun 24, 2024
25 checks passed
jose-rfj added a commit to jose-rfj/MONAILabel that referenced this pull request Jul 8, 2024
@jose-rfj
Merge pull request #1 from Project-MONAI/main
c019beb 
change to acl format (Project-MONAI#1706)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pxLi pxLi pxLi approved these changes

@Nic-Ma Nic-Ma Awaiting requested review from Nic-Ma

@tangy5 tangy5 Awaiting requested review from tangy5

@KumoLiu KumoLiu Awaiting requested review from KumoLiu

@SachidanandAlle SachidanandAlle Awaiting requested review from SachidanandAlle

Assignees

@YanxuanLiu YanxuanLiu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@YanxuanLiu @pxLi @Nic-Ma @KumoLiu @tangy5