| Table of Contents |
|---|
Overview
...
New and/or Modified Documentation
New API Documentation (version 21.7.1)
New and updated documentation has been published for the Global Org/Organization/Product/Project-Level APIs and Product and Project-Level APIs.
WhiteSource Cure Version (version 21.7.1)
A new product, WhiteSource Cure, has been released in beta status. WhiteSource Cure automatically generates remediation suggestions and proposed fixes for vulnerabilities identified by detection tools in proprietary code. The remediation suggestions, called “reports”, are displayed on the vulnerable code itself and can be used as-is in your IDE.
New API Documentation (version 21.6.3)
New and updated documentation has been published for Reports APIs and Licenses and Library APIs.
...
Notices of Deprecation
Documentation
Version 21.
...
7.
...
1
The contents of the following topics will be were moved. The pages of those topics will be deprecated. Note that after being moved, no changes to the information contained will be made
The contents of Triggering a new Scan in Bitbucket will be were moved to WhiteSource for Bitbucket Server.
The information in the Utilizing Security Vulnerabilities Information was moved to Understanding and Managing Security Vulnerabilities.
Version 21.5.2
The following pages were deprecated:
...
Azure DevOps Services Integration
Version 21.6.2
Major improvements to the Azure DevOps integration have been introduced. The underlying scanning mechanism has been modified to allow a direct WhiteSource scan from within the Azure DevOps pipeline. As part of this change, the following updates have been introduced:
...
Unified Agent
Miscellaneous
Version 21.7.1
In the next Unified Agent release, the behavior of the includes and excludes and parameters will be fixed with respect to the use of the projectPerFolder parameter by matching their values relative to the main root path.
Within the next two releases of the Unified Agent, several improvements to the default configuration will be introduced:
The includes parameter will have a default value (comprises of all the WhiteSource supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc)
The excludes parameter will have a default value of
**/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar
Within the next two releases of the Unified Agent, the Go dependencies detection will be improved by enabling the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.
Version 21.6.2
Starting August 1, Unified Agent versions will be available for a year after their release.
Within the next two releases of the Unified Agent, the default value of the php.removeDuplicateDependencies parameter will be changed from false to true.
Within the next two releases of the Unified Agent, the gradle.additionalArguments parameter for specifying additional arguments to be added to the Gradle commands executed by the agent - will be applied to all Gradle commands (not only to the gradle dependencies command).
Within the next two releases of the Unified Agent, the Maven, OCaml, Modules and the R resolvers will be aligned to the behavior of the other detectors when failErrorLevel is set to ALL by failing the scan if the relevant package manager is not installed.
...
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGH
Vulnerable Projects
Project | Vulnerabilities | Vulnerable Versions | Mitigation |
|---|---|---|---|
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. | 6.x: 6.0 - 6.2.3 | 6.x: No fix available. | |
CVE-2019-9512, CVE-2019-9514. Official Website Advisory | 1.11.x: 1.11.0 - 1.11.12 | 1.11.x: Upgrade to 1.11.13 (patch). | |
CVE-2019-9512, CVE-2019-9514, CVE-2019-9515. Official Website Advisory | 2.2.x: 2.2.0 - 2.2.5 | 2.2.x: Upgrade to 2.2.6 (patch). | |
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory | 9.3.x - 9.4.20 | Upgrade to 9.4.21 (patch). | |
CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518. Official Website Advisory | 4.1.0-beta4 - 4.1.38 | Upgrade to 4.1.39 (patch-1 [9512, 9514, 9515], patch-2 [9518]). | |
CVE-2019-9511, CVE-2019-9513. Official Website Advisory | 0.1.0 - 1.39.1 | ||
CVE-2019-9511, CVE-2019-9513, CVE-2019-9516. Official Website Advisory | NOTE: The releases (X.Y.Z) splitted into two types: if Y is divisible by 2 - stable, otherwise - mainline. | Stable: Upgrade to 1.16.1 (patch-1 [9511], patch-2 [9513], patch-3 [9516]). | |
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory | 8.x: 8.0.0 - 8.16.0 | 8.x: Upgrade to 8.16.1 (patch-1 [9511, 9517], patch-2 [9511, 9517], patch-3 [9512, 9515], patch-4 [9512, 9515], patch-5 [9513], patch-6 [9513], patch-7 [9514], patch-8 [9514], patch-9 [9516], patch-10 [9518]). |
...