Bugzilla – Bug 1216775
VUL-0: CVE-2023-39017: quartz: potential code injection vulnerability in quartz-jobs
Last modified: 2023-11-30 04:43:06 UTC
quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39017
SUSE Manager 4.2 went EOL on Oct 31st. So only 4.3 will be fixed
Sorry, I wasn't aware of this. I need to finish working on an another issue, then I will address this vulnerability ASAP.
Our package is not affected by this CVE, since we are not shipping at all the quartz-jobs module. That specific jar is not available in our package, which only contains the main artifact quartz.jar. It's also worth noting that currently there is no fix upstream since, from what discussed in the GitHub issue, the team stance on that is that this is not a Quartz issue: >The highlighted JMS job example as well as other job examples (JMX invoker, mail sender, EJB) may look vulnerable due to a chance of abusing the host name parameters to abuse deserialization (using own code base) and/or denial of service (e.g. sending mail). The wiring of untrusted inputs into the jobs would have to be done by the application's own code, and therefore the job examples cannot be blamed. https://github.com/quartz-scheduler/quartz/issues/943 Moreover, I'm not sure to understand why 2.4.0 RC is considered "safe" (according to one comment in that very same thread), since the code of the affected class SendQueueMessageJob is exactly the same in all code branches.