Dependency org.apache.mina:mina-core, leading to CVE problem

Hi, In **hazelcast-code-samples-master/enterprise/ldap-authentication**，there is a dependency **org.apache.mina:mina-core:2.0.16** that calls the risk method.

[CVE-2019-0231](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0231)

The scope of this CVE affected version is **[,2.0.21) || [2.1.0,2.1.1)**

After further analysis, in this project, the main Api called is **<org.apache.mina.filter.buffer.BufferedWriteFilter: void internalFlush(org.apache.mina.core.filterchain.IoFilter$NextFilter,org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer)>**

Risk method repair link : [GitHub](https://github.com/apache/mina/commit/294b8ce638df6e237e819537b333e02853bb612c)

**CVE Bug Invocation Path--**

**Path Length : 10**

```
<org.apache.mina.filter.buffer.BufferedWriteFilter: void internalFlush(org.apache.mina.core.filterchain.IoFilter$NextFilter,org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer)>
at <org.apache.mina.filter.buffer.BufferedWriteFilter: void write(org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer,org.apache.mina.core.buffer.IoBuffer)> (org.apache.mina.filter.buffer.BufferedWriteFilter.java:[169, 174]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.filter.buffer.BufferedWriteFilter: void write(org.apache.mina.core.session.IoSession,org.apache.mina.core.buffer.IoBuffer)> (org.apache.mina.filter.buffer.BufferedWriteFilter.java:[147]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.filter.buffer.BufferedWriteFilter: void filterWrite(org.apache.mina.core.filterchain.IoFilter$NextFilter,org.apache.mina.core.session.IoSession,org.apache.mina.core.write.WriteRequest)> (org.apache.mina.filter.buffer.BufferedWriteFilter.java:[132]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.filterchain.DefaultIoFilterChain: void callPreviousFilterWrite(org.apache.mina.core.filterchain.IoFilterChain$Entry,org.apache.mina.core.session.IoSession,org.apache.mina.core.write.WriteRequest)> (org.apache.mina.core.filterchain.DefaultIoFilterChain.java:[629]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.filterchain.DefaultIoFilterChain: void fireFilterWrite(org.apache.mina.core.write.WriteRequest)> (org.apache.mina.core.filterchain.DefaultIoFilterChain.java:[622]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.session.AbstractIoSession: org.apache.mina.core.future.WriteFuture write(java.lang.Object,java.net.SocketAddress)> (org.apache.mina.core.session.AbstractIoSession.java:[574]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.mina.core.session.AbstractIoSession: org.apache.mina.core.future.WriteFuture write(java.lang.Object)> (org.apache.mina.core.session.AbstractIoSession.java:[519]) in /.m2/repository/org/apache/mina/mina-core/2.0.16/mina-core-2.0.16.jar
at <org.apache.directory.server.ldap.LdapServer: void stop()> (org.apache.directory.server.ldap.LdapServer.java:[622]) in /.m2/repository/org/apache/directory/server/apacheds-protocol-ldap/2.0.0-M24/apacheds-protocol-ldap-2.0.0-M24.jar
at <simpleldap.SimpleLdapServer: void stop()> (simpleldap.SimpleLdapServer.java:[129]) in /detect/unzip/hazelcast-code-samples-master/enterprise/ldap-authentication/target/classes
```



**Dependency tree--**

```
[INFO] com.hazelcast.samples.enterprise:ldap-authentication:jar:0.1-SNAPSHOT
[INFO] +- org.apache.directory.api:api-ldap-codec-standalone:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-net-mina:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-codec-core:jar:1.0.0:compile
[INFO] |  |  +- org.apache.directory.api:api-asn1-api:jar:1.0.0:compile
[INFO] |  |  +- org.apache.directory.api:api-i18n:jar:1.0.0:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-codec:jar:1.0.0:compile
[INFO] |  \- org.apache.mina:mina-core:jar:2.0.16:compile
[INFO] +- org.apache.directory.server:apacheds-protocol-ldap:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-core:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-admin:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-authn:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-number:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-authz:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-changelog:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-collective:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-event:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-exception:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-journal:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-normalization:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-operational:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-referral:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-schema:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-interceptors-subtree:jar:2.0.0-M24:compile
[INFO] |  |  \- org.apache.directory.server:apacheds-interceptors-trigger:jar:2.0.0-M24:compile
[INFO] |  |     \- org.apache.directory.api:api-ldap-extras-trigger:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.server:apacheds-core-api:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.server:apacheds-core-constants:jar:2.0.0-M24:compile
[INFO] |  |  +- org.apache.directory.api:api-ldap-extras-aci:jar:1.0.0:compile
[INFO] |  |  \- net.sf.ehcache:ehcache:jar:2.10.4:compile
[INFO] |  +- org.apache.directory.server:apacheds-i18n:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-protocol-shared:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.jdbm:apacheds-jdbm1:jar:2.0.0-M3:compile
[INFO] |  +- org.apache.directory.server:apacheds-jdbm-partition:jar:2.0.0-M24:compile
[INFO] |  |  \- org.apache.directory.server:apacheds-core-avl:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-kerberos-codec:jar:2.0.0-M24:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- org.apache.directory.api:api-asn1-ber:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-client-api:jar:1.0.0:compile
[INFO] |  |  \- commons-pool:commons-pool:jar:1.6:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-codec-api:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-sp:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-extras-util:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-ldap-model:jar:1.0.0:compile
[INFO] |  |  +- org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr:jar:2.7.7_5:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  +- org.apache.directory.api:api-ldap-schema-data:jar:1.0.0:compile
[INFO] |  +- org.apache.directory.api:api-util:jar:1.0.0:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.56:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.apache.directory.server:apacheds-core-annotations:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-core-shared:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-ldif-partition:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.server:apacheds-xdbm-partition:jar:2.0.0-M24:compile
[INFO] |  +- org.apache.directory.mavibot:mavibot:jar:1.0.0-M8:compile
[INFO] |  +- org.apache.directory.server:apacheds-mavibot-partition:jar:2.0.0-M24:compile
[INFO] |  \- junit:junit:jar:4.12:compile
[INFO] |     \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- org.slf4j:slf4j-simple:jar:1.7.25:compile
[INFO] +- org.jline:jline-reader:jar:3.19.0:compile
[INFO] |  \- org.jline:jline-terminal:jar:3.19.0:compile
[INFO] +- com.hazelcast:hazelcast-enterprise-all:jar:5.0-SNAPSHOT:compile
[INFO] \- com.hazelcast.samples:helper:jar:0.1-SNAPSHOT:compile
[INFO]    \- com.hazelcast:hazelcast-all:jar:5.0-SNAPSHOT:compile
```

**_Suggested solutions:_**

Update dependency version



Thank you very much.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Dependency org.apache.mina:mina-core, leading to CVE problem #487

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Dependency org.apache.mina:mina-core, leading to CVE problem #487

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions