Chronicle map currently (optionally) depends on XStream 1.4.20 which is impacted by CVE-2024-47072 and was resolved in 1.4.21.
Chronicle map consumers which exercise the getAll()/putAll() functionality that uses XStream have to use the XStream dependency, which has to be in line with whatever XStream version Chronicle map uses. Because of that the consumers would get flagged for security however cannot bump XStream themselves until Chronicle map does.
When investigating the upgrade, I found that XStream behavior changed from 1.4.20 to 1.4.21. In particular, the call to moveDown() in AbstractChronicleMapConverter's unmarshall() seems to be extraneous and in fact errorneous as it descends one node too deep:
With 1.4.20 the moveDown() call stayed at the same node for some reason, with 1.4.21 it moves on, hence causing deserialization error in
|
if (!nodeName0.equals("entry")) |
|
throw new ConversionException("unable to convert node named=" + nodeName0); |
This leads to a number of failing tests in
CHMUseCasesTest. When the
moveDown() call is removed, the tests pass once again.
Now, with update to 1.4.21 there is bunch of other tests that fail in Chronicle map. Most of these seem to pertain to XStream requirements of specifying key size:
[ERROR] Failures:
[ERROR] CHMUseCasesTest.testLongValueLongValueMap:2214 expected:<1> but was:<61>
[ERROR] CHMUseCasesTest.testLongValueLongValueMap:2214 expected:<1> but was:<64>
[ERROR] Errors:
[ERROR] OffHeapByteArrayExampleTest.beforeClass:27 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR] PortfolioValueTest.test:98 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR] ChronicleMapImportExportTest.testWithLongValue:217 » IllegalState Value size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageValue()/.constantValueSizeBySample()/.averageValueSize() methods to configure the size
[ERROR] DataKeyValueTest.dataKeyValueTest:19 » IllegalState Value size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageValue()/.constantValueSizeBySample()/.averageValueSize() methods to configure the size
[ERROR] Issue354Test.reproduce:26 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR] Issue354bTest.build_toFile:28 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR] LostKeyTest.lostkeysTest:26 » IllegalArgument java.util.ConcurrentModificationException
[ERROR] NegativeIntegerKeyTest.testNegativeIntegerKey:16 NoClassDefFound Could not initialize class net.openhft.chronicle.map.ChronicleMapTest
[ERROR] RecoverTest.testCorruptedEntryRecovery:117 ExceptionInInitializer
[ERROR] ValueInterfaceWithEnumTest.testValueInterface:24 » IllegalArgument java.util.ConcurrentModificationException
[ERROR] ChecksumEntryTest.testChecksumEntriesWithValueInterface:30 » IllegalState Value size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageValue()/.constantValueSizeBySample()/.averageValueSize() methods to configure the size
[ERROR] PutIfAbsentNoGarbageTest.testPutIfAbsentDefault:48 » IllegalArgument java.util.ConcurrentModificationException
[ERROR] PutIfAbsentNoGarbageTest.testPutIfAbsentUsingValue:26 » IllegalArgument java.util.ConcurrentModificationException
[INFO]
[ERROR] Tests run: 1303, Failures: 2, Errors: 13, Skipped: 78
The failing tests in CHMUseCasesTest I could not reproduce when running the tests from IDEA.
Also, while there the hard-coded version on
|
"<dependency>\n" + |
|
" <groupId>xstream</groupId>\n" + |
|
" <artifactId>xstream</artifactId>\n" + |
|
" <version>1.2.2</version>\n" + |
|
"</dependency>\n" + |
should be updated.
Chronicle map currently (optionally) depends on XStream 1.4.20 which is impacted by CVE-2024-47072 and was resolved in 1.4.21.
Chronicle map consumers which exercise the
getAll()/putAll()functionality that uses XStream have to use the XStream dependency, which has to be in line with whatever XStream version Chronicle map uses. Because of that the consumers would get flagged for security however cannot bump XStream themselves until Chronicle map does.When investigating the upgrade, I found that XStream behavior changed from 1.4.20 to 1.4.21. In particular, the call to
moveDown()inAbstractChronicleMapConverter'sunmarshall()seems to be extraneous and in fact errorneous as it descends one node too deep:Chronicle-Map/src/main/java/net/openhft/xstream/converters/AbstractChronicleMapConverter.java
Line 116 in 343bb22
With 1.4.20 the
moveDown()call stayed at the same node for some reason, with 1.4.21 it moves on, hence causing deserialization error inChronicle-Map/src/main/java/net/openhft/xstream/converters/AbstractChronicleMapConverter.java
Lines 122 to 123 in 343bb22
CHMUseCasesTest. When themoveDown()call is removed, the tests pass once again.Now, with update to 1.4.21 there is bunch of other tests that fail in Chronicle map. Most of these seem to pertain to XStream requirements of specifying key size:
The failing tests in
CHMUseCasesTestI could not reproduce when running the tests from IDEA.Also, while there the hard-coded version on
Chronicle-Map/src/main/java/net/openhft/chronicle/map/JsonSerializer.java
Lines 29 to 33 in 343bb22