Apache Sling Commons JSON Library 2.0.20 vulnerability (CVE-2022-47937) from aem-mock.core/5.2.2 and cq-wcm-foundation/5.6.4 | Community
Skip to main content
N
NokAr
July 12, 2023
Solved

Apache Sling Commons JSON Library 2.0.20 vulnerability (CVE-2022-47937) from aem-mock.core/5.2.2 and cq-wcm-foundation/5.6.4

  • July 12, 2023
  • 2 replies
  • 1381 views

Hello AEM advisors and all,

 

We have a vulnerability of Apache Sling Commons JSON Library v 2.0.20 reported by our vulnerability scan and our team needs to resolve it. This vulnerability is CVE-2022-47937 (https://www.cve.org/CVERecord?id=CVE-2022-47937). Please see the list of dependencies of Apache Sling Commons JSON Library here. 

https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20

 

Root Cause: It looks like this vulnerability is coming from these 2 components which belong to Adobe Experience Manager.

 

1) aem-mock.core/5.2.2 

https://mvnrepository.com/artifact/com.day.cq.wcm/cq-wcm-foundation/5.6.4

We can see that the https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20 is a transitive of https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.core/5.2.2 which is a transitive of https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.junit5/5.2.2.

 

2) cq-wcm-foundation/5.6.4

https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.core/5.2.2

We can see that the https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20 is a transitive of https://mvnrepository.com/artifact/com.day.cq.wcm/cq-wcm-foundation/5.6.4

 

Does Adobe have a release timeline on when we can expect the Apache Sling Commons JSON Library vulnerability to be fixed (perhaps by replacing org.apache.sling.commons.json/2.0.20 with org.apache.sling.commons.johnzon/1.2.14) in the above 2 components? Thanks in advance for your answers!

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by joerghoh

    Please direct these types of questions to Adobe support.

    * First, this is the way you get an official Adobe response. In this forum no one can speak for Adobe, but it's just individual responses.

    * Secondly, any kind of security related discussions should be dealt with directly with Adobe support, as there you can expect responses according to the SLA, while here in the forums it is best effort. Also please provide accurate version information (for example which AEM version and which servicepack you have deployed).

     

    To add some context to your question:

    * the aem-mock library  is not maintained by Adobe, but by the wcm.io project. Please direct this question to them.

    * You cannot rely on the pom information only; as AEM uses OSGI under the hoods, listed bundle versions normally list just the minimal package version and more often newer versions are installed and used. So while the bundle can still reference an older vulnerable version (and would work with it), AEM ships with a new version which does not have that vulnerability anymore. For that reason the results of those simple scans are often misleading. You always need to doublecheck what is actually deployed within your AEM instance.

     

    2 replies

    Shashi_Mulugu
    Community Advisor
    Shashi_MuluguCommunity Advisor
    Community Advisor
    July 17, 2023

    @kautuk_sahni Can you get Adobe Internal suggestion on this?

      joerghoh
      Adobe Employee
      joerghohAdobe EmployeeAccepted solution
      Adobe Employee
      July 17, 2023

      Please direct these types of questions to Adobe support.

      * First, this is the way you get an official Adobe response. In this forum no one can speak for Adobe, but it's just individual responses.

      * Secondly, any kind of security related discussions should be dealt with directly with Adobe support, as there you can expect responses according to the SLA, while here in the forums it is best effort. Also please provide accurate version information (for example which AEM version and which servicepack you have deployed).

       

      To add some context to your question:

      * the aem-mock library  is not maintained by Adobe, but by the wcm.io project. Please direct this question to them.

      * You cannot rely on the pom information only; as AEM uses OSGI under the hoods, listed bundle versions normally list just the minimal package version and more often newer versions are installed and used. So while the bundle can still reference an older vulnerable version (and would work with it), AEM ships with a new version which does not have that vulnerability anymore. For that reason the results of those simple scans are often misleading. You always need to doublecheck what is actually deployed within your AEM instance.

       

        N
        NokArAuthor
        July 17, 2023

         @joerghoh - We really appreciate your response and direction. Thank you so much!

          Terms & ConditionsAccessibility statement

          Loading footer...