CVE-2024-21742

[Alex-Kidston]

Hi - CVE-2024-21742 is outstanding for the apache-mime4j-core dependency to move to v0.8.10 - is there a targeted fix version? thanks in advance...

[sberyozkin]

@Alex-Kidston Hi, I believe Quarkus does not use MIME4J DOM anywhere

[Alex-Kidston]

@sberyozkin unfortunately, I can see the apache-mime4j v0.8.9 dependency here:
quarkus-bom
I think that's where our mend scanning is finding it...

[sberyozkin]

@Alex-Kidston We'll probably need to silence the various scanners with the version bump, but Quarkus itself does not use that code AFAIK

[Alex-Kidston]

@sberyozkin completely understand...yes, mend is pretty unforgiving...if a dependency is mentioned, it's evaluated for CVE's...thanks for investigating!

[Alex-Kidston]

Resolved by this PR

[Alex-Kidston]

@sberyozkin I hate to say it, but even after pulling in 3.9.1, we're seeing the apache-mime4j-core v0.8.9 as a dependency - here's the gradle scan output:

compileClasspath
0.058s
org.apache.james:apache-mime4j-core:0.8.9
quarkusDevBaseRuntimeClasspathConfiguration
0.016s
org.apache.james:apache-mime4j-core:0.8.9
quarkusProdBaseRuntimeClasspathConfiguration
0.254s
org.apache.james:apache-mime4j-core:0.8.9
quarkusProdRuntimeClasspathConfiguration
0.048s
org.apache.james:apache-mime4j-core:0.8.9
quarkusProdRuntimeClasspathConfigurationDeployment
0.697s
org.apache.james:apache-mime4j-core:0.8.9
runtimeClasspath
0.041s
org.apache.james:apache-mime4j-core:0.8.9

All of our build.gradle quarkus dpendencies are set to 3.9.1 - is there something we're missing? thanks as ever for your help...

[gsmet]

I see it in the core BOM but I don't see it in the Platform BOM, which is a bit weird.

We will need @aloubyansky to have a look at what's going on.

[aloubyansky]

If it's not in the platform BOM it means the version constraint is invalid and was filtered out.

<dependency>
  <groupId>org.apache.james</groupId>
  <artifactId>apache-mime4j</artifactId>
  <version>0.8.11</version>
</dependency>

implies it's a JAR artifact. There is no such JAR artifact though. https://repo1.maven.org/maven2/org/apache/james/apache-mime4j/0.8.11/

[sberyozkin]

Thanks @aloubyansky @gsmet, I should've checked it.
https://repo1.maven.org/maven2/org/apache/james/apache-mime4j/0.8.9/ does not have it either though, and in 0.8.10, inside the zip file they have apache-mime4j-dom-0.8.10.jar. So I'm not sure what should be done but can revert #39679 if you'd like.

[aloubyansky]

The following org.apache.james artifacts are found among our dependencies:

↳ org.apache.james:apache-mime4j-dom:0.8.9
↳ org.apache.james:apache-mime4j-storage:0.8.9
↳ org.apache.james:apache-mime4j-core:0.8.9

We could add all of the above to the BOM and remove apache-mime4.

[sberyozkin]

@aloubyansky Thanks, I can try to handle it during the next few days to fix my earlier PR, definitely before the next 3.9.x

[Alex-Kidston]

@sberyozkin issue resolved on our end, whitesource scan is clean - thank you for your help!

[sberyozkin]

Thanks @Alex-Kidston, and @aloubyansky for recommending the right fix