Conversation
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/f6edab35-20fa-446b-8036-d8c2223efb24 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Update OGNL dependency version to 3.0.21 for security fixes
Fix CVE-2016-3093: upgrade OGNL 2.6.9 → 3.0.21
Apr 16, 2026
5 tasks
vharseko
changed the title
…Matchers Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/6b8eb99d-3f76-42c6-9848-34782ea3487a Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
… license-manager-cli pom Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/7cf6d7a0-2e60-423d-8d1e-6627556d89f7 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…x API Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/7a915422-19c9-4fbf-823f-edbbf6b07dfc Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…2.x compatibility Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/748d1cc8-2850-44df-abad-b056d6b32b5d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…r changes Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/ff049a3e-2689-453f-b840-f98cba9e5f3e Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…b and UpdateTask static cache pollution Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/3a085e25-5d29-43ca-8208-06e3c81233ef Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/0a6f4032-6f33-453e-aa94-0e3102246302 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/853d0ec3-377f-4084-b89c-39c9a12cd71d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/03a7a632-a24e-4e4f-9eff-895878946e7d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
… compatibility Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/4f563704-581a-4502-b57f-3585fd9e4206 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/43693ebd-ad3e-4ac1-87e7-38f66bf124ea Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/e0ff8012-f01b-475c-ad48-209d8bbe4deb Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/4afa5502-7a25-4cd5-ac8d-a9873932d02d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…st and PersistentCookiePAPTest
- Replace anyString() with nullable(String.class) for cookieName and hmacKey
arguments in PersistentCookieAuthModuleTest given/verify calls, as these
can be null when not present in options map (Mockito 2.x anyString() does
not match null unlike Mockito 1.x)
- Replace anyString() with nullable(String.class) for realm argument in
PersistentCookiePAPTest getOrganizationConfig stub, as ssoToken.getProperty
("Organization") is not stubbed in those tests so it returns null
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/8dc2cb41-afd4-4374-9b12-b4cf1640e4af
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Replace Mockito.anyString() with nullable(String.class) for the reqBinding argument in getIDPRequestValidator stub. In Mockito 2.x anyString() does not match null, but reqBinding is passed as null in the test cases, causing validator to remain null and NullPointerException at runtime. Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/41b7caa3-787a-4fa7-a69c-86ca5ea6fd4d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
- OpenAMScopeValidatorTest: use nullable(String.class) in getResourceOwnerIdentity stub; use literal string in getResourceOwnerId thenReturn (anyString() used as return value was returning null) - OpenAMResourceSetStoreTest: use nullable(String.class) in getResourceSetRegistrationPolicyEndpoint stub (resource set ID is null before it gets generated) - ResourceSetRegistrationEndpointTest: use nullable(String.class) in resourceSetCreated verify (realm param is null); add store.read stub for delete test so updateLabelsForDeletedResourceSet gets non-null arg - AccessTokenServiceTest: use nullable(String.class) in createAccessToken and createRefreshToken stubs (several args are always null) - AuthorizationCodeGrantTypeHandlerTest: use nullable(String.class) in tokenInvalidator.invalidateTokens verify and in createAccessToken / createRefreshToken stubs (grantType, resourceOwnerId, nonce, etc are null from unstubbed mocks) Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/df2c22cb-937a-4145-8f42-5ec58a64639b Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
- AuthorizationCodeGrantTypeHandlerTest: verify(accessToken).addExtraData(
eq("nonce"), anyString()) fails because authorizationCode.getNonce() is
null on an unstubbed mock; changed to nullable(String.class) in all
three shouldHandle* tests
- AccessTokenServiceTest.shouldReturnNewRefreshTokenIdWhenRefreshing:
createRefreshToken stub had anyString() for authGrantId (position 8)
but refreshToken.getAuthGrantId() returns null on an unstubbed mock;
changed to nullable(String.class)
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/bf83acfc-2e36-4665-a516-c6383bcf0e7d
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/43f8f22d-f1ee-4ba2-97e0-909821e51726 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…eEntitlementSubConfigsStepTest Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/3b5c1155-ad20-4a02-9d22-3ddc188c00a1 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/eca7f47e-e313-4e13-8615-f20c5e741a81 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…oid flaky IT test failures Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/4123b9ed-4e9c-45b6-be2f-0088d4b3f336 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…61 PR-changed Java files Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/14b2ba10-f354-4f36-ae31-50898ca56a55 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Member
|
@copilot merge from copilot/update-powermock-dependencies |
…ncies' into copilot/update-ognl-dependency-to-3-0-21 # Conflicts: # pom.xml Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Contributor
Author
Done — merged |
…0.9 requirement Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/3d2f0d15-7629-4e90-a359-7608076c28f7 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…and ognl deps in openam-core to fix PowerMock 2.x classpath conflict Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/8269faaa-c2d9-426a-9ab2-931c51a9cfc0 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NoSuchMethodError: javassist.CtClass.getDeclaredClasses()inExternalLdapConfigTestjavassist:javassist:3.11.0.GA(old Maven group ID), which shadowsorg.javassist:javassist:3.27.0-GA(new group ID, required by PowerMock 2.0.9); both land on the classpath as separate Maven artifacts since they have different coordinatespom.xml: added<exclusion>forjavassist:javassist(old group) to the OGNL<dependencyManagement>entry (handles modules that declare ognl as a direct dep without version)openam-core/pom.xml: added<exclusion>forjavassist:javassist(old group) to the directclick-nodeps,click-extras, andognldependency declarations (blocks all transitive paths that could re-introduce the old javassist jar)Original prompt
Problem
The project uses OGNL 2.6.9 which is vulnerable to CVE-2016-3093 — a denial-of-service vulnerability caused by inefficient caching of method references in OGNL before version 3.0.12 when used with Apache Struts 2.
OGNL is actively used in the embedded Apache Click code throughout the project:
openam-core/src/main/java/org/openidentityplatform/openam/click/ClickServlet.java— importsognl.Ognl,ognl.DefaultMemberAccessopenam-core/src/main/java/org/openidentityplatform/openam/click/util/ContainerUtils.java— usesOgnl.setValue()/Ognl.getValue()openam-core/src/main/java/org/openidentityplatform/openam/click/service/XmlConfigService.java— usesOgnl.setValue()Required Changes
Update OGNL dependency version to 3.0.21 (latest 3.0.x with security fixes and backward compatibility):
pom.xml<dependencyManagement>section, changing from version 2.6.9 to 3.0.21. The groupId for OGNL 3.x isognland artifactId isognl.openam-core/pom.xmlif not already present.pom.xmlfiles that may reference OGNL and ensure they use the managed version.Fix any API compatibility issues between OGNL 2.6.9 and 3.0.21 in Java source files that import from
ognl.*package. Key classes to check:DefaultMemberAccess— constructor signature may differDefaultTypeConverter— may have movedOgnlOps— verify methods still existUpdate
legal/THIRDPARTYREADME.txt: Replace reference toognl-2.6.9.jarwithognl-3.0.21.jar.Update legacy deployable-war lists if they reference
ognl-2.6.9.jar:openam-federation/OpenFM/src/main/deployable-war/fam-noconsole.list— replace./WEB-INF/lib/ognl-2.6.9.jarwith./WEB-INF/lib/ognl-3.0.21.jaropenam-federation/OpenFM/src/main/deployable-war/fam-console.listfor similar references.The following is the prior conversation context from the user's chat exploration (may be truncated):
User: предложи. исправление CVE-2016-3093
Assistant: Let me find where the
commons-fileuploadversion is managed in the project:Assistant:
CVE-2016-3093 в OpenIdentityPlatform/OpenAM
CVE-2016-3093 — уязвимость в OGNL (Object-Graph Navigation Language) до версии 3.0.12, используемом совместно с Apache Struts 2. Она позволяет удалённому злоумышленнику вызвать отказ в обслуживании (DoS) из-за неэффективного кэширования ссылок на методы.
Текущее состояние в репозитории
В проекте используется ognl-2.6.9 — уязвимая версия. OGNL активно используется в коде Apache Click, который встроен в OpenAM:
ClickServlet.java— импортируетognl.Ognl,ognl.DefaultMemberAccessContainerUtils.java— используетOgnl.setValue()/Ognl.getValue()для data binding формXmlConfigService.java— используетOgnl.setValue()для конфигурации сервисовРекомендуемое исправление
Необходимо обновить зависимость OGNL с 2.6.9 до 3.0.12+ (или лучше до последней стабильной 3.x). Версия определяется транзитивно через Apache Click (
click-nodeps). Поскольку проект использует собственный форк Click-кода (пакетorg.openidentityplatform.openam.click), можно явно переопределить версию OGNL.1. Добавить явную зависимость OGNL в корневой
pom.xml(dependencyManagement):2. Добавить явную зависимость в
openam-core/pom.xml:3. Проверить совместимость API. В OGNL 3.x изменились некоторые API:
DefaultMemberAccess(используется вClickServlet.java) — конструктор может отличатьсяDefaultTypeConverter(используется вContainerUtils.java) — перемещён вognl.DefaultTypeConverterOgnlOps— проверить наличие используемых методов4. Обновить
legal/THIRDPARTYREADME.txt: заменитьognl-2.6.9.jarнаognl-3.0.21.jar.5. Обновить legacy-списки в
openam-federation/OpenFM/src/main/deployable-war/fam-noconsole.list: заменить./WEB-INF/lib/ognl-2.6.9.jarна./WEB-INF/lib/ognl-3.0.21.jar.Почему именно 3.0.21
Версия OGNL 3.0.12 — минимальная для устранения CVE-2016-3093, но 3.0.21 — последний релиз ветки 3.0.x с дополнительными исправлениями безопасности, при этом сохраняющий обратную совместимость с API 3.0.x.
User: сделай PR
Assistant: I've started the process of creating a pull request to fix CVE-2016-3093 by upgrading OGNL from 2.6.9 to 3.0.21 in the
OpenIdentityPlatform/OpenAMrepository. I'm waiting for your confirmati...This pull request was created from Copilot chat.