CS 305 Module Two Coding Assignment - Tolentino

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

305

Subject

Computer Science

Date

Feb 20, 2024

Type

docx

Pages

Uploaded by UltraCamelMaster345

CS 305 Module Two Coding Assignment Template Instructions Replace the bracketed text with the relevant information in your own words. If you choose to include images or supporting materials, make certain to insert them in all the relevant locations in the document. 1. Run Dependency Check 2. Document Results hibernate-validator-6.0.18.Final.jar Description: Hibernate's Bean Validation (JSR-380) reference implementation. License: http://www.apache.org/licenses/LICENSE-2.0.txt jackson-databind-2.10.2.jar Description: General data-binding functionality for Jackson: works on core streaming API License: http://www.apache.org/licenses/LICENSE-2.0.txt log4j-api-2.12.1.jar Description: The Apache Log4j API License: https://www.apache.org/licenses/LICENSE-2.0.txt 1

logback-core-1.2.3.jar Description: logback-core module License: http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html mongo-java-driver-2.4.jar Description: Java Driver for MongoDB License: The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt snakeyaml-1.25.jar Description: YAML 1.1 parser and emitter for Java License: Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt spring-boot-2.2.4.RELEASE.jar Description: Spring Boot License: Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 spring-boot-starter-web-2.2.4.RELEASE.jar Description: Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container License: Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 spring-core-5.2.3.RELEASE.jar Description: Spring Core License: Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 spring-web-5.2.3.RELEASE.jar Description: Spring Web License: Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 spring-webmvc-5.2.3.RELEASE.jar Description: Spring Web MVC License: Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0 tomcat-embed-core-9.0.30.jar Description: Core Tomcat implementation License: Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt tomcat-embed-websocket-9.0.30.jar Description: Core Tomcat implementation License: Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt 3. Analyze Results While running a dependency check some false positives may become evident. Though these may provide insight into your programs dependencies and may not indicate an immediate security risk they’re important to explore. Filtering them can help to bring attention to larger more serious security risks within your program. The majority of these security bugs can be corrected to upgrading to the current version of software available. 2

hibernate-validator-6.0.18.Final.jar Summary: A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. Remediation: You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Or upgrade to current version. jackson-databind-2.10.2.jar Summary: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. Remediation: Upgrade to version. log4j-api-2.12.1.jar Summary: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Remediation: Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections. logback-core-1.2.3.jar Summary: An attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Remediation: Update to the latest logback-core mongo-java-driver-2.4.jar Summary: Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. Remediation: Use environments that are not affected by this issue such as AWS, GCP, and Azure. Addi- tionally, driver workloads that do not use Field Level Encryption are also not affected. snakeyaml-1.25.jar Summary: The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564. Remediation: update to the latest snakeyaml spring-boot-2.2.4.RELEASE.jar Summary: In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an appli- cation that is deployed to Cloud Foundry could be susceptible to a security bypass. Remediation: Users of affected versions should apply the following mitigation: 3.0.x users should up- grade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should up- grade to 3.0.6+ or 2.7.11+. spring-boot-starter-web-2.2.4.RELEASE.jar Summary: See above Remediation: See above 3

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

spring-web-5.2.3.RELEASE.jar Summary: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data Remediation: Careful management of untrusted data and upgrading to 6.0 or later. spring-webmvc-5.2.3.RELEASE.jar Summary: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. Remediation: If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vul- nerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. spring-core-5.2.3.RELEASE.jar Summary: In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. Remediation: Update to latest version. tomcat-embed-core-9.0.30.jar Summary: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Remediation: Update to current version. tomcat-embed-websocket-9.0.30.jar Summary: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Remediation: Upgrade to current version. 4

Related Documents

Module 4-2 Pseudocode and Reflection.docx

CS 305 Module Five Coding Assignment Checksum Verification - Tolentino.docx

Module 6 Pseudocode and Reflection.docx

Module 3-2 Reflection.docx

Module 3-2 Pseudocode.docx

CS 230 Project Software Design - Tolentino Project 2.docx

CS 305 Module Two Written Assignment Tolentino.docx

Module 4-2 Pseudocode.docx

CS319 Module 2 - Interview and Personas.docx

CS319 Module 5-3 Data Prioritization.docx

CS 305 Project Two Practices for Secure Software Report - Tolentino.pdf

Color, Sounds, and Motion.docx

Recommended textbooks for you

Np Ms Office 365/Excel 2016 I Ntermed

Computer Science

ISBN:9781337508841

Author:Carey

Publisher:Cengage

New Perspectives on HTML5, CSS3, and JavaScript

Computer Science

ISBN:9781305503922

Author:Patrick M. Carey

Publisher:Cengage Learning

COMPREHENSIVE MICROSOFT OFFICE 365 EXCE

Computer Science

ISBN:9780357392676

Author:FREUND, Steven

Publisher:CENGAGE L

EBK JAVA PROGRAMMING

Computer Science

ISBN:9781337671385

Author:FARRELL

Publisher:CENGAGE LEARNING - CONSIGNMENT

Programming Logic & Design Comprehensive

Computer Science

ISBN:9781337669405

Author:FARRELL

Publisher:Cengage

Systems Architecture

Computer Science

ISBN:9781305080195

Author:Stephen D. Burd

Publisher:Cengage Learning

SEE MORE TEXTBOOKS

Recommended textbooks for you

Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
New Perspectives on HTML5, CSS3, and JavaScript
Computer Science
ISBN:9781305503922
Author:Patrick M. Carey
Publisher:Cengage Learning
COMPREHENSIVE MICROSOFT OFFICE 365 EXCE
Computer Science
ISBN:9780357392676
Author:FREUND, Steven
Publisher:CENGAGE L
EBK JAVA PROGRAMMING
Computer Science
ISBN:9781337671385
Author:FARRELL
Publisher:CENGAGE LEARNING - CONSIGNMENT
Programming Logic & Design Comprehensive
Computer Science
ISBN:9781337669405
Author:FARRELL
Publisher:Cengage
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning