Sent vulnerabilities fixes to scanners so that they won't show up again.

[wendycwong]

We have fixed a number of vulnerabilities reported, not by upgrading the dependencies version but rather in our own code. However, these kind of fixes will not be recognized by the scanners and will show up again and again. @tomkraljevic suggested that we should report these kind of fixes back to the scanners so that the scanners can be fixed and the fixed vulnerabilities will not come back on their scan.

Here is a list of the fixed vulnerabilities that have been fixed:

1. CVE-2023-6038,
2. CVE-2023-6569,
3. CVE-2024-5986
   Items 1/2/3 concern the access of any directory for read and write by bad actors. It is resolved by (@krasinski ) adding a parameter -file_deny_glob that can be used to define restricted locations by the system administrators. It is currently default to {/bin/, /etc/, /var/, /usr/, /proc/*, /.}.
4. CVE-2023-6016 is about remove code execution. @mn-mikke introduced a Java Property that disables POJO import (defaults to disabled) to avoid remove code execution.
5. CVE-2024-5979: AstRunTool.java crash h2o-3 cluster. This is not true. I was not able to reproduce. Added a test to make sure this continues to be the case that AstRunTool.java with bad command will not crash it.

Discussed with @mmalohlava and he proposed that I should talk to Andrew Heath and David Epperson with these.

[wendycwong]

Sent a slack to @mmalohlava, David and Andrew:

wendy
9:34 AM
Hi
@David Epperson
and
@Andrew Heath
: We have fixed a bunch of H2O-3 vulnerabilities inside our code instead of changing library dependencies. Hence, these kind of fixes will continue to show up on the scans as we are still using the same libraries that have the vulnerabilities.
@tomk
suggested that I should report these fixes to the people making the scans so that our fixed vulnerabilities will not show up again. Michal suggested that I should contact you guys for help in this regard. I have reported the fixed vulnerabilities here in this issue: #16341. I am copying them over here as well so that you don’t have to look at the issue if you do not want to: We have fixed a number of vulnerabilities reported, not by upgrading the dependencies version but rather in our own code. However, these kind of fixes will not be recognized by the scanners and will show up again and again. @tomkraljevic suggested that we should report these kind of fixes back to the scanners so that the scanners can be fixed and the fixed vulnerabilities will not show up again on their scan.
Here is a list of the fixed vulnerabilities that have been fixed:
CVE-2023-6038,
CVE-2023-6569,
CVE-2024-5986
Items 1/2/3 concern the access of any directory for read and write by bad actors. It is resolved by (@krasinski ) adding a parameter -file_deny_glob that can be used to define restricted locations by the system administrators. It is currently default to {/bin/, /etc/, /var/, /usr/, /proc/*, /.}.
CVE-2023-6016 is about remove code execution. @mn-mikke introduced a Java Property that disables POJO import (defaults to disabled) to avoid remove code execution.
9:35
Please advise on how to proceed to remove us from the scans for CVE-2023-6038, CVE-2023-6569, CVE-2024-5986, CVE-2023-6016. Thanks, Wendy

[wendycwong]

Current suggestion from @andrewheath09 :

[wendycwong]

Conversation with @codyharris-h2o-ai and he presents me with a spreadsheet on h2o-3 vulnerabilities. I need to do the following:

Please let me know:
The PRs which mitigated the vulnerabilities and/or link to the mitigation in our code
Which CVE(s) have been mitigated
Which image(s) the mitigations have been applied to
9:38
Our scanning pipelines consume a YAML specification for images, which contains a list of mitigations and their reason. If a customer reports a CVE, we have the mitigation on file and have auditable evidence to present

[wendycwong]

@valenad1 has sent information to hunter about our custom fixes and they have replied back asking for commits and more information. He will send them everything they need after Sept 16, 2024.