Multiple CVEs are reported on Datomic Peer 1.0.7075

Question

Starting about two weeks ago, OWASP Dependency Check (via nvd-clojure) is reporting multiple CVEs on Datomic. It's in the package memcache-asg-java-client-1.1.0.36.jar (file path $HOME/.m2/repository/com/datomic/memcache-asg-java-client/1.1.0.36/memcache-asg-java-client-1.1.0.36.jar). They are reported as level "CRITICAL". The reported CVEs are:

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8704
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8705
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46853
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8706
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9951
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000127
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11596
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46852
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4971
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7239
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7291

Partial dependency tree (clojure -Stree):

[own code]
  . com.datomic/peer 1.0.7075
    . com.datomic/memcache-asg-java-client 1.1.0.36

At the very least I want to make sure that you're aware of this, and I'd also appreciate your advice on whether this is ACTUALLY an issue in Datomic context.

Thank you!

Answer 1

Hi Stefan,

Thanks for letting us know. Memcache-java-asg is a fork of com.aws/elasticache-java-cluster-client which is a fork of spymemcached. You should feel free to exclude our dependency here as needed. You would only use this jar if you were using elasticache and auto node discovery: https://docs.datomic.com/pro/overview/caching.html#node-auto-discovery

That being said, I'll bump the story to update this jar.

-Jaret

Comments

Update:

@Stefan Van den Oord

I talked with dev and we believe that every match here is a false positive. First, each CVE pertains to either the Memcached server itself or misconfigurations of it and not any client implementations. See: https://docs.google.com/spreadsheets/d/1r_WToan1V61_XbAUz71lw-e2acVMsR2i9zMr6h4ZcDY/edit#gid=0

We were able to run the same scan (same tool, nvd-clojure) and see the same report. The match however, is due to the CVEs mentioning memcached:memcached:*:*:*:*:*:*:*:* UP TO 1.4.x (or similar) as the affected software. The package name and version of memcached-asg-java-client trigger the false positives.

We were able to confirm the above by bumping memcached-asg-java-client to 2.0 locally, repeat the scan, and received no CVEs.  

We do use nvd-clojure to scan all builds of Datomic and have added the jar to our process with the ruled out false positives.