Killbill security issues

[Mahmmoud Rashed]

Hello dears, when scanning the killbill container I can find multiple vulnerabilities like the attached, and they are mostly related to " killbill-flyway.jar"

Is there any schedule to upgrade those libraries and avoid those vulnerabilities?

[Pierre-Alexandre Meyer]

Thanks for the report. We'll take a look at it next time we upgrade the dependencies (likely next year).

Most of these scans typically highlight false positives, the vast majority of CVE don't apply to us. Is this a blocker for your deployment?

On Tue, Dec 3, 2024 at 3:58 PM Mahmmoud Rashed <m.ras...@gmail.com> wrote:

Hello dears, when scanning the killbill container I can find multiple vulnerabilities like the attached, and they are mostly related to " killbill-flyway.jar"

Is there any schedule to upgrade those libraries and avoid those vulnerabilities?

--
You received this message because you are subscribed to the Google Groups "Kill Bill users mailing-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to killbilling-us...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/killbilling-users/bd762dcb-bf07-4de1-a1db-00fb59eec283n%40googlegroups.com.

--

Pierre

[Mahmmoud Rashed]

Hello Pierre,

     The only one that is a blocker is the below:



Type:
maven

Location:

/opt/killbill-flyway.jar:org.redisson:redisson

/var/lib/killbill/killbill-flyway.jar:org.redisson:redisson

CVE-2023-42809⁠

CWE-502

9.4c

Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.

Some post-fix advice is available. Do NOT use Kryo5Codec as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the setRegistrationRequired(false) call. On the contrary, KryoCodec is safe to use. The fix applied to SerializationCodec only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating SerializationCodec please use the SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses) constructor to restrict the allowed classes for deserialization.

CVSS Score:
9.4
EPSS Score⁠:

0.00204 (0.592)

CVSS Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected range:
<3.22.0
Fix version:
3.22.0
Publish date:
2024-08-05

[Mahmmoud Rashed]

Hello Dears,

    Do you still consider to upgrade the flyway.jar as it has a lot of deprecated libraries that affected the security scan.

[Vijay]

This has been addressed, and you can expect the killbill-flyway upgrade in the next Kill Bill release.

[Mahmmoud Rashed]

Hello Dears, Was this address included in the release of the 7th of February?

[Mahmmoud Rashed]

Hello dears, any update about killbill-flyway.jar security fixes?

[karan bansal]

Hi Rashed,

I checked with the Devs about this. It will be part of the next Kill Bill release.

Regards

Karan