Skip to content

Commit c5be3e0

Browse files
thribhuvantthribhuvant
committed
Openssl added
1 parent 1c7e3c8 commit c5be3e0

2 files changed

Lines changed: 22 additions & 7 deletions

File tree

README.md

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -24,18 +24,25 @@ test_java_dependency_issues_repo/
2424
└── README.md
2525
```
2626

27-
## Vulnerable Dependency
27+
## Vulnerable Dependencies
2828

29-
This project includes **Log4j 2.14.1**, which contains the critical **CVE-2021-44228** vulnerability (also known as Log4Shell).
29+
This project includes multiple vulnerable dependencies for testing purposes:
3030

31-
**⚠️ WARNING**: This vulnerability is intentionally included for testing purposes only. Do not use this project in production environments.
31+
**⚠️ WARNING**: These vulnerabilities are intentionally included for testing purposes only. Do not use this project in production environments.
3232

33-
### Vulnerability Details
33+
### 1. Log4j Vulnerability
3434
- **Dependency**: `org.apache.logging.log4j:log4j-core:2.14.1`
35-
- **CVE**: CVE-2021-44228
35+
- **CVE**: CVE-2021-44228 (Log4Shell)
3636
- **Severity**: Critical (CVSS 10.0)
3737
- **Description**: Remote code execution vulnerability in Log4j
3838

39+
### 2. OpenSSL Vulnerability (via Netty)
40+
- **Dependency**: `io.netty:netty-tcnative-boringssl-static:2.0.20.Final`
41+
- **OpenSSL Version**: 1.0.2r (bundled)
42+
- **CVEs**: CVE-2019-1543, CVE-2019-1547, CVE-2019-1563
43+
- **Severity**: High
44+
- **Description**: Multiple vulnerabilities in OpenSSL 1.0.2r including padding oracle attacks and side-channel attacks
45+
3946
## Building the Project
4047

4148
```bash
@@ -54,14 +61,18 @@ This project includes **Log4j 2.14.1**, which contains the critical **CVE-2021-4
5461
./gradlew test
5562
```
5663

57-
## Fixing the Vulnerability
64+
## Fixing the Vulnerabilities
5865

59-
To fix the vulnerability, upgrade Log4j to version 2.17.1 or later:
66+
To fix the vulnerabilities, upgrade to secure versions:
6067

6168
```gradle
6269
dependencies {
70+
// Fixed Log4j version
6371
implementation 'org.apache.logging.log4j:log4j-core:2.17.1'
6472
implementation 'org.apache.logging.log4j:log4j-api:2.17.1'
73+
74+
// Fixed Netty tcnative version (uses updated OpenSSL/BoringSSL)
75+
implementation 'io.netty:netty-tcnative-boringssl-static:2.0.54.Final'
6576
}
6677
```
6778

build.gradle

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@ dependencies {
1616
implementation 'org.apache.logging.log4j:log4j-core:2.14.1'
1717
implementation 'org.apache.logging.log4j:log4j-api:2.14.1'
1818

19+
// Vulnerable OpenSSL dependency - Netty with tcnative using OpenSSL 1.0.2r
20+
// Contains multiple CVEs including CVE-2019-1543, CVE-2019-1547, CVE-2019-1563
21+
implementation 'io.netty:netty-tcnative-boringssl-static:2.0.20.Final'
22+
1923
// Testing dependencies
2024
testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.2'
2125
testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.2'

0 commit comments

Comments
 (0)