Bug 1216775 (CVE-2023-39017)

Summary: VUL-0: CVE-2023-39017: quartz: potential code injection vulnerability in quartz-jobs
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: galaxy-bugs, mc, meissner, stoyan.manolov, thomas.florio
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373705/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39017:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-01 05:39:48 UTC 
quartz-jobs 2.3.2 and below was discovered to contain a code
injection vulnerability in the component
org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is
exploited via passing an unchecked argument. NOTE: this is disputed by multiple
parties because it is not plausible that untrusted user input would reach the
code location where injection must occur.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39017
Comment 2 Michael Calmer 2023-11-01 08:18:54 UTC 
SUSE Manager 4.2 went EOL on Oct 31st.
So only 4.3 will be fixed
Comment 4 Thomas Florio 2023-11-13 14:31:34 UTC 
Sorry, I wasn't aware of this. I need to finish working on an another issue, then I will address this vulnerability ASAP.
Comment 5 Thomas Florio 2023-11-14 10:44:35 UTC 
Our package is not affected by this CVE, since we are not shipping at all the quartz-jobs module. That specific jar is not available in our package, which only contains the main artifact quartz.jar.

It's also worth noting that currently there is no fix upstream since, from what discussed in the GitHub issue, the team stance on that is that this is not a Quartz issue:

>The highlighted JMS job example as well as other job examples (JMX invoker, mail sender, EJB) may look vulnerable due to a chance of abusing the host name parameters to abuse deserialization (using own code base) and/or denial of service (e.g. sending mail). The wiring of untrusted inputs into the jobs would have to be done by the application's own code, and therefore the job examples cannot be blamed.

https://github.com/quartz-scheduler/quartz/issues/943

Moreover, I'm not sure to understand why 2.4.0 RC is considered "safe" (according to one comment in that very same thread), since the code of the affected class SendQueueMessageJob is exactly the same in all code branches.