Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.
SOLVED

Apache Sling Commons JSON Library 2.0.20 vulnerability (CVE-2022-47937) from aem-mock.core/5.2.2 and cq-wcm-foundation/5.6.4

Avatar

Level 1

Hello AEM advisors and all,

 

We have a vulnerability of Apache Sling Commons JSON Library v 2.0.20 reported by our vulnerability scan and our team needs to resolve it. This vulnerability is CVE-2022-47937 (https://www.cve.org/CVERecord?id=CVE-2022-47937). Please see the list of dependencies of Apache Sling Commons JSON Library here. 

https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20

 

Root Cause: It looks like this vulnerability is coming from these 2 components which belong to Adobe Experience Manager.

 

1) aem-mock.core/5.2.2 

https://mvnrepository.com/artifact/com.day.cq.wcm/cq-wcm-foundation/5.6.4

We can see that the https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20 is a transitive of https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.core/5.2.2 which is a transitive of https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.junit5/5.2.2.

 

2) cq-wcm-foundation/5.6.4

https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.core/5.2.2

We can see that the https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20 is a transitive of https://mvnrepository.com/artifact/com.day.cq.wcm/cq-wcm-foundation/5.6.4

 

Does Adobe have a release timeline on when we can expect the Apache Sling Commons JSON Library vulnerability to be fixed (perhaps by replacing org.apache.sling.commons.json/2.0.20 with org.apache.sling.commons.johnzon/1.2.14) in the above 2 components? Thanks in advance for your answers!

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Please direct these types of questions to Adobe support.

* First, this is the way you get an official Adobe response. In this forum no one can speak for Adobe, but it's just individual responses.

* Secondly, any kind of security related discussions should be dealt with directly with Adobe support, as there you can expect responses according to the SLA, while here in the forums it is best effort. Also please provide accurate version information (for example which AEM version and which servicepack you have deployed).

 

To add some context to your question:

* the aem-mock library  is not maintained by Adobe, but by the wcm.io project. Please direct this question to them.

* You cannot rely on the pom information only; as AEM uses OSGI under the hoods, listed bundle versions normally list just the minimal package version and more often newer versions are installed and used. So while the bundle can still reference an older vulnerable version (and would work with it), AEM ships with a new version which does not have that vulnerability anymore. For that reason the results of those simple scans are often misleading. You always need to doublecheck what is actually deployed within your AEM instance.

 

View solution in original post

3 Replies

Avatar

Community Advisor

@kautuk_sahni Can you get Adobe Internal suggestion on this?

Avatar

Correct answer by
Employee Advisor

Please direct these types of questions to Adobe support.

* First, this is the way you get an official Adobe response. In this forum no one can speak for Adobe, but it's just individual responses.

* Secondly, any kind of security related discussions should be dealt with directly with Adobe support, as there you can expect responses according to the SLA, while here in the forums it is best effort. Also please provide accurate version information (for example which AEM version and which servicepack you have deployed).

 

To add some context to your question:

* the aem-mock library  is not maintained by Adobe, but by the wcm.io project. Please direct this question to them.

* You cannot rely on the pom information only; as AEM uses OSGI under the hoods, listed bundle versions normally list just the minimal package version and more often newer versions are installed and used. So while the bundle can still reference an older vulnerable version (and would work with it), AEM ships with a new version which does not have that vulnerability anymore. For that reason the results of those simple scans are often misleading. You always need to doublecheck what is actually deployed within your AEM instance.

 

Avatar

Level 1

 @Jörg_Hoh - We really appreciate your response and direction. Thank you so much!