[CAM-8277] Upgrade optional dependency commons-email to >= 1.5

Type: Bug Report
Resolution: Fixed
Priority: L3 - Default
Fix Version/s: 7.9.0, 7.8.3, 7.7.8, 7.6.13, 7.9.0-alpha3
Affects Version/s: 7.8.0-alpha4
Component/s: None
Labels:
None

OWASP scan of Camunda shows a known vulnerability in the commons-email version used in Camunda

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9801
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

This is the controller panel for Smart Panels app

Roman Smirnov added a comment - 07/Nov/17 8:52 PM

Hi AJ,

Sorry for the late response. Which artifact did you scan? Could you please provide more information?

Best,
Roman

Roman Smirnov added a comment - 07/Nov/17 8:52 PM Hi AJ, Sorry for the late response. Which artifact did you scan? Could you please provide more information? Best, Roman

AJ added a comment - 02/Mar/18 7:00 PM - edited

This is in Camunda-engine:

+- org.camunda.bpm:camunda-engine-spring:jar:7.8.0:compile
|  +- org.camunda.bpm:camunda-engine:jar:7.8.0:compile
|  |  +- org.apache.commons:commons-email:jar:1.2:compile

The commons-email version is defined in comunda-bpm-platform/camunda-parent Currently it is still at version 1.2
https://github.com/camunda/camunda-bpm-platform/blob/master/parent/pom.xml#L189

AJ added a comment - 02/Mar/18 7:00 PM - edited This is in Camunda-engine: +- org.camunda.bpm:camunda-engine-spring:jar:7.8.0:compile | +- org.camunda.bpm:camunda-engine:jar:7.8.0:compile | | +- org.apache.commons:commons-email:jar:1.2:compile The commons-email version is defined in comunda-bpm-platform/camunda-parent Currently it is still at version 1.2 https://github.com/camunda/camunda-bpm-platform/blob/master/parent/pom.xml#L189

Roman Smirnov added a comment - 05/Mar/18 8:37 AM

Hi AJ,

Thanks for sharing more information.

To let you know, commons-email is an optional depedency, and it is only needed when you are using a mail task. So, in case you are embedding the engine in you application, you can easily exclude this dependency. However, the pre-packaged distrubtions don't include that dependency.

Anyway, we are going to check, if we can upgrade commons-email to > 1.5.

Best,
Roman

Roman Smirnov added a comment - 05/Mar/18 8:37 AM Hi AJ, Thanks for sharing more information. To let you know, commons-email is an optional depedency, and it is only needed when you are using a mail task. So, in case you are embedding the engine in you application, you can easily exclude this dependency. However, the pre-packaged distrubtions don't include that dependency. Anyway, we are going to check, if we can upgrade commons-email to > 1.5. Best, Roman

Assignee:: Roman Smirnov

Reporter:: AJ

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 02/Oct/17 11:55 PM

Updated:: 29/Mar/18 1:45 PM

Resolved:: 06/Mar/18 6:32 PM

camunda BPM

Details

Description

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

Collapse comment: Roman Smirnov added a comment - 07/Nov/17 8:52 PM

Expand comment: Roman Smirnov added a comment - 07/Nov/17 8:52 PM

Collapse comment: AJ added a comment - 02/Mar/18 7:00 PM, Edited by AJ - 02/Mar/18 7:01 PM

Expand comment: AJ added a comment - 02/Mar/18 7:00 PM, Edited by AJ - 02/Mar/18 7:01 PM

Collapse comment: Roman Smirnov added a comment - 05/Mar/18 8:37 AM

Expand comment: Roman Smirnov added a comment - 05/Mar/18 8:37 AM

People

Dates

Salesforce