Expand my Community achievements bar.

SOLVED

Apache Sling Commons JSON Library 2.0.20 vulnerability (CVE-2022-47937) from aem-mock.core/5.2.2 and cq-wcm-foundation/5.6.4

Avatar

Level 1
Level 1
7/12/23 12:30:33 PM

Hello AEM advisors and all,

 

We have a vulnerability of Apache Sling Commons JSON Library v 2.0.20 reported by our vulnerability scan and our team needs to resolve it. This vulnerability is CVE-2022-47937 (https://www.cve.org/CVERecord?id=CVE-2022-47937). Please see the list of dependencies of Apache Sling Commons JSON Library here. 

https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20

 

Root Cause: It looks like this vulnerability is coming from these 2 components which belong to Adobe Experience Manager.

 

1) aem-mock.core/5.2.2 

https://mvnrepository.com/artifact/com.day.cq.wcm/cq-wcm-foundation/5.6.4

We can see that the https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20 is a transitive of https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.core/5.2.2 which is a transitive of https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.junit5/5.2.2.

 

2) cq-wcm-foundation/5.6.4

https://mvnrepository.com/artifact/io.wcm/io.wcm.testing.aem-mock.core/5.2.2

We can see that the https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.commons.json/2.0.20 is a transitive of https://mvnrepository.com/artifact/com.day.cq.wcm/cq-wcm-foundation/5.6.4

 

Does Adobe have a release timeline on when we can expect the Apache Sling Commons JSON Library vulnerability to be fixed (perhaps by replacing org.apache.sling.commons.json/2.0.20 with org.apache.sling.commons.johnzon/1.2.14) in the above 2 components? Thanks in advance for your answers!

Views

592

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
7/17/23 2:18:50 AM

Please direct these types of questions to Adobe support.

* First, this is the way you get an official Adobe response. In this forum no one can speak for Adobe, but it's just individual responses.

* Secondly, any kind of security related discussions should be dealt with directly with Adobe support, as there you can expect responses according to the SLA, while here in the forums it is best effort. Also please provide accurate version information (for example which AEM version and which servicepack you have deployed).

 

To add some context to your question:

* the aem-mock library  is not maintained by Adobe, but by the wcm.io project. Please direct this question to them.

* You cannot rely on the pom information only; as AEM uses OSGI under the hoods, listed bundle versions normally list just the minimal package version and more often newer versions are installed and used. So while the bundle can still reference an older vulnerable version (and would work with it), AEM ships with a new version which does not have that vulnerability anymore. For that reason the results of those simple scans are often misleading. You always need to doublecheck what is actually deployed within your AEM instance.

 

View solution in original post

Views

540

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Community Advisor
Community Advisor
7/17/23 1:08:26 AM

@kautuk_sahni Can you get Adobe Internal suggestion on this?

Views

552

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
7/17/23 2:18:50 AM

Please direct these types of questions to Adobe support.

* First, this is the way you get an official Adobe response. In this forum no one can speak for Adobe, but it's just individual responses.

* Secondly, any kind of security related discussions should be dealt with directly with Adobe support, as there you can expect responses according to the SLA, while here in the forums it is best effort. Also please provide accurate version information (for example which AEM version and which servicepack you have deployed).

 

To add some context to your question:

* the aem-mock library  is not maintained by Adobe, but by the wcm.io project. Please direct this question to them.

* You cannot rely on the pom information only; as AEM uses OSGI under the hoods, listed bundle versions normally list just the minimal package version and more often newer versions are installed and used. So while the bundle can still reference an older vulnerable version (and would work with it), AEM ships with a new version which does not have that vulnerability anymore. For that reason the results of those simple scans are often misleading. You always need to doublecheck what is actually deployed within your AEM instance.

 

Views

541

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
7/17/23 8:59:56 AM
In response to Jörg_Hoh

 @Jörg_Hoh - We really appreciate your response and direction. Thank you so much!

Views

529

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM instance is not starting Solved

Views

107

Likes

0

Replies

3
How to set a limit to parasys to allow a number of components in AEM

Views

37

Likes

0

Replies

1
functionality working only in PROD and not working in DEV, QA

Views

37

Likes

0

Replies

0
Microsoft sso integration with aem as cloud

Views

43

Likes

0

Replies

1
update the tags in component when tags are moved in aem  content/cq:tags/a to  content/cq:tags/b

Views

67

Likes

0

Replies

2