Managed dependency removal because of security issues.
The direct managed dependency of net.sf.ehcache:ehcache:2.10.6 is affected by several CVE regarding jackson-databind version 2.9.6 which is re-packaged in the ehcache.
Because the ehcache 2.x branch is not maintained anymore and ehcache 3.x is already part of Spring Dependency Management the proposal is to remove net.sf.ehcache:ehcache:2.10.6 from dependency management with next Spring Boot Dependencies version (2.2.x).
Further links:
GitHub: https://github.com/ehcache Svn: http://svn.terracotta.org/svn/ehcache/tags/ehcache-2.10.6/
Official (but deactivated) Bug Jira: https://jira.terracotta.org/jira/browse/EHC
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
<version>${ehcache.version}</version>
</dependency>
Comment From: wilkinsona
Thanks for the suggestion. To allow us to make an informed decision, can you please share some information about why Ehcache is vulnerable. As far as I know, Jackson has to be used and configured in a certain way to cause a vulnerability.
Comment From: mibo
Thanks for feedback.
Yes, the ehcache is vulnerable only because of the polymorphic typing and deserialisation issues of jackson-databind.
And yes it must be used in a certain way and I do not know yet if this is the case in ehcache.
But as this ehcache 2.x is not anymore under development and perhaps also not maintained anymore and with the ehcache 3.x already a successor is available I think it would be a good decision to remove the old version from Spring Boot dependencies management (>= 2.2.x).
Btw. I also tried in parallel to contact ehcache developers but not got a response yet. As soon as I get updates from them I will write it here.
List of current vulnerabilities in used jackson-databind version:
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9.1
- https://nvd.nist.gov/vuln/detail/CVE-2019-12384
- https://nvd.nist.gov/vuln/detail/CVE-2019-12814
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
- https://nvd.nist.gov/vuln/detail/CVE-2019-12086
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
- https://nvd.nist.gov/vuln/detail/CVE-2018-19360
- https://nvd.nist.gov/vuln/detail/CVE-2018-19361
- https://nvd.nist.gov/vuln/detail/CVE-2018-19362
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://nvd.nist.gov/vuln/detail/CVE-2018-14718
- https://nvd.nist.gov/vuln/detail/CVE-2018-14721
Comment From: wilkinsona
Thanks. Until we know that it is vulnerable, I don't Ehcache 2's usage of Jackson is sufficient reason to consider removing support for it from Spring Boot. Ehcache 2 is still supported by other components, such as Hibernate 5.4, that Boot integrates with.
Ehcache 2.x having officially reached its end of life would, I think, be a more compelling reason to remove it. We did something similar in the past for Log4j 1 for example. However, I have been unable to find such an announcement. Are you aware of one?
Comment From: lorban
Hey all,
(writing this with my official Ehcache dev hat on)
Ehcache 2.x is still supported, but is considered legacy that should be migrated away of. We don't recommend building any new application with it so removing its support from the Spring suite in favor of Ehcache 3.x definitely makes sense.
Regarding the CVE's, the Jackson classes are only ever loaded if you configure your cache manager with the web management feature, which is disabled by default, i.e.: those vulnerabilities cannot be exploited by default and we're (slowly) working on ironing them out too.
Comment From: mibo
Hi @lorban ,
Thanks a lot for this information, really appreciate it.
My assumption was that based on this line
...as Ehcache 2.x will slowly retire.
which was from July last year (see https://github.com/ehcache/ehcache-jcache) the 2.x is not maintained anymore.
Regarding the CVE's, the Jackson classes are only ever loaded if you configure your cache with the web management feature, which is disabled by default, i.e.: those vulnerabilities cannot be exploited by default and we're (slowly) working on ironing them out too.
Thanks also a lot for this information. This helps me a lot regarding security scans and assessments.
Nevertheless I think to drop support (as direct managed dependency) for the ehcache 2.x is still a good idea. A bit as mentioned by Ludovic:
...legacy that should be migrated away of...
Regards, Michael
Comment From: philwebb
All things considered, we've decided that we're not yet ready to drop Ehcache 2.x support. We can reconsider when there's an official EOL announcement from the Ehcache team.
Comment From: mibo
Still I think it is a good idea to drop it with Spring Boot 2.2 as it is already in legacy that should be migrated away of. But thanks to all for taking it up and having a look into. Special thanks also for @lorban for his insights and infos as ehache dev 🙂
Comment From: sourabhsparkala
Adding more relases of Jackson with Vulnerabilities to this already existing list
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9.3 -- https://nvd.nist.gov/vuln/detail/CVE-2019-14540
Comment From: rahulkiit
Hi @lorban , Can you point me to some code how to configure your cache manager with the web management feature enabled. I. am unable to. find info on internet.
Comment From: rahulkiit
To answer my own query having following code in ehcache.xml enable the web monitoring <cacheManagerPeerListenerFactory class="org.terracotta.ehcachedx.monitor.probe.ProbePeerListenerFactory" properties="monitorAddress=localhost, monitorPort=9889, memoryMeasurement=true" />
https://confluence.terracotta.org/display/docs/Ehcache+Monitor