Spring Security Spring Boot 2.6.5 + Spring Cloud Jubilee 2021.0.1. Multiple CVEs for spring-boot-starter-security + spring-security-saml2-service-provide

Describe the bug Found multiple CVEs for spring-boot-starter-security + spring-security-saml2-service-provider with latest (as of this writing) Spring Boot 2.6.5 + Spring Cloud Jubilee 2021.0.1

To Reproduce To reproduce, please download the minimal, reproducible sample at : https://github.com/patpatpat123/cvequestion

One done, please kindly run with Apache Maven 3.6.3: mvn clean install dependency:tree -X

Expected behavior No CVE for the very popular and critical Spring Security project please 🙏

Sample Please have a look here: https://github.com/patpatpat123/cvequestion

More background: With a very simple Spring Boot 2.6.5 + Spring Cloud Jubilee 2021.0.1 project, some static analysis, such as BlackDuck, OWASP checks, SonarQube, dependency-plugin, and others, are run on my project.

And even with the latest (as of this writing Spring Boot 2.6.5 + Spring Cloud Jubilee 2021.0.1), there are multiple CVE found. In order to reproduce the issue, please run. mvn clean install dependency:tree -X

Sample logs:

[DEBUG]    org.springframework.security:spring-security-saml2-service-provider:jar:5.6.2:compile
[DEBUG]       org.springframework.security:spring-security-web:jar:5.6.2:compile (version managed from 5.6.2)
[DEBUG]          org.springframework.security:spring-security-core:jar:5.6.2:compile (version managed from 5.6.2)
[DEBUG]       org.opensaml:opensaml-core:jar:3.4.6:compile
[DEBUG]          joda-time:joda-time:jar:2.9:compile
[DEBUG]          io.dropwizard.metrics:metrics-core:jar:4.2.9:compile (version managed from 3.1.5)
[DEBUG]          net.shibboleth.utilities:java-support:jar:7.5.2:compile
[DEBUG]             com.google.code.findbugs:jsr305:jar:3.0.2:compile
[DEBUG]             com.google.guava:guava:jar:20.0:compile
[DEBUG]          commons-codec:commons-codec:jar:1.15:compile (version managed from 1.10)
[DEBUG]       org.opensaml:opensaml-saml-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-xmlsec-api:jar:3.4.6:compile
[DEBUG]             org.opensaml:opensaml-security-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-soap-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-messaging-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-profile-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-storage-api:jar:3.4.6:compile
[DEBUG]       org.opensaml:opensaml-saml-impl:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-security-impl:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-xmlsec-impl:jar:3.4.6:compile
[DEBUG]             org.apache.santuario:xmlsec:jar:2.0.10:compile
[DEBUG]                com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
[DEBUG]                   org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[DEBUG]             org.cryptacular:cryptacular:jar:1.1.4:compile
[DEBUG]          org.opensaml:opensaml-soap-impl:jar:3.4.6:compile
[DEBUG]          org.apache.velocity:velocity:jar:1.7:compile
[DEBUG]             commons-collections:commons-collections:jar:3.2.1:compile
[DEBUG]             commons-lang:commons-lang:jar:2.4:compile

actually there are multiple CVEs (copy pasted above, adding //<-- Here is the CVE (+ CVE number)

[DEBUG]    org.springframework.security:spring-security-saml2-service-provider:jar:5.6.2:compile //<— CVE-2018-1258
[DEBUG]       org.springframework.security:spring-security-web:jar:5.6.2:compile (version managed from 5.6.2)
[DEBUG]          org.springframework.security:spring-security-core:jar:5.6.2:compile (version managed from 5.6.2) //<— CVE-2018-1258
[DEBUG]       org.opensaml:opensaml-core:jar:3.4.6:compile
[DEBUG]          joda-time:joda-time:jar:2.9:compile
[DEBUG]          io.dropwizard.metrics:metrics-core:jar:4.2.9:compile (version managed from 3.1.5)
[DEBUG]          net.shibboleth.utilities:java-support:jar:7.5.2:compile
[DEBUG]             com.google.code.findbugs:jsr305:jar:3.0.2:compile
[DEBUG]             com.google.guava:guava:jar:20.0:compile //<— CVE-2018-10237
[DEBUG]          commons-codec:commons-codec:jar:1.15:compile (version managed from 1.10)
[DEBUG]       org.opensaml:opensaml-saml-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-xmlsec-api:jar:3.4.6:compile
[DEBUG]             org.opensaml:opensaml-security-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-soap-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-messaging-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-profile-api:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-storage-api:jar:3.4.6:compile
[DEBUG]       org.opensaml:opensaml-saml-impl:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-security-impl:jar:3.4.6:compile
[DEBUG]          org.opensaml:opensaml-xmlsec-impl:jar:3.4.6:compile
[DEBUG]             org.apache.santuario:xmlsec:jar:2.0.10:compile //<— CVE-2019-12400 CVE-2020-8908
[DEBUG]                com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
[DEBUG]                   org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[DEBUG]             org.cryptacular:cryptacular:jar:1.1.4:compile
[DEBUG]          org.opensaml:opensaml-soap-impl:jar:3.4.6:compile
[DEBUG]          org.apache.velocity:velocity:jar:1.7:compile //<— CVE-2020-13936
[DEBUG]             commons-collections:commons-collections:jar:3.2.1:compile. //<— CVE-2017-15708 CVE-2015-6420
[DEBUG]             commons-lang:commons-lang:jar:2.4:compile

commons-collections-3.2.1.jar
spring-security-core-5.6.2.jar
spring-security-saml2-service-provider-5.6.2.jar
velocity-1.7.jar
guava-20.0.jar
xmlsec-2.0.10.jar

Could you please kindly help update to newer and safer versions of the impacted jars please? Or maybe offer an alternative for users to "override" some of the version please?

This is not a "let's make some tool happy" issue, but rather me trying to highlight some valid CVEs, and hopefully have some technical vulnerabilities fixed

Thank for your time taking a look at this, and thank you in advanced for fixing the CVEs.

Comment From: sjohnr

@patpatpat123 thanks for providing the results of your analysis.

Regarding CVE-2018-1258 this points to spring-security-core version 5.0.5 which is not the version you're using. This appears to be a false positive.

Regarding the other CVE findings you are reporting, as mentioned in this comment, these appear to be based on an OpenSAML version that is EOL. It's recommended that you use the latest supported OpenSAML version or override/manage those transitive dependencies yourself if possible.

Comment From: patpatpat123

Hello @sjohnr, hello @jzheaux,

I wanted to first say thank you for your time answering.

Well noted for the false positive

As for the others, I would like to ask if you can help with further expertise. Probably I am wrong, but based on your comment, it seems like the root cause is because "I am using a version of OpenSAML that is EOL, i.e. I am using a bad version of OpenSAML, therefore, I am getting all those CVEs."

My point raising the issue is: I think this repo, Spring Security, not me, is using a version of OpenSAML that is EOL, a bad version.

Could you please tell me if this understanding is erroneous or correct?

Because if it is Spring Security using a bad version of OpenSAML, shouldn't Spring Security use the latest version?

Again, not expert in this domain, I do believe from the tree, that I have nothing to do with those CVEs, but it is this repo and the dependencies used from this repo which is using a "bad version" of OpenSAML.

Just wanted your help clarifying that if possible.

In the meanwhile, much appreciated for your time and wishing you a pleasant day

Comment From: patpatpat123

Just an addition, I am no Spring Security expert, no Gradle expert, no dependency expert, no OpenSAML expert:

I was trying to investigate the root cause, and looked at this: https://github.com/spring-projects/spring-security/blob/6ce6a1a55ea86b4607dad67fcf7cbda8d3b2b938/gradle.properties#L5

And allowing myself to add a simple technical question, hope this is not a trouble.

Can this repo use (based on https://mvnrepository.com/artifact/org.opensaml/opensaml-core)

openSamlVersion=4.0.1

instead of this outdated version

openSamlVersion=3.4.6

https://github.com/spring-projects/spring-security/blob/6ce6a1a55ea86b4607dad67fcf7cbda8d3b2b938/gradle.properties#L5

And this version bump would bring this repo to a better place, using a more up to date version of OpenSAML to its vast number of users?

Comment From: sjohnr

I believe Spring Security supports both OpenSAML 3 and 4. Is this what you're thinking of?

https://github.com/spring-projects/spring-security/blob/ce720ad38e99e3b27a318dba8f8f16befa4da176/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle#L53

Comment From: patpatpat123

If I can ask this question, sorry for not understanding.

"Spring Security supports both OpenSAML 3 and 4" "these appear to be based on an OpenSAML version that is EOL. It's recommended that you use the latest supported OpenSAML"

May I ask why would Spring Security supports both OpenSAML 3 and 4, knowing OpenSAML 3 is EOL, and contains several known vulnerabilities please?