CVE-2019-9658: Gradle depends upon Checkstyle Version vulnerable to MITM based XXE

[JLLeitschuh]

Gradle's checksyle plugin currently ships with a default dependenciy upon Checkstyle version 8.17.

gradle/subprojects/code-quality/src/main/groovy/org/gradle/api/plugins/quality/CheckstylePlugin.java

Line 39 in ae6478d

public static final String DEFAULT_CHECKSTYLE_VERSION = "8.17";

Checkstyle versions below below 8.18 are vulnerable to XXE of the remotely loaded DTD file being MITMed.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658
https://nvd.nist.gov/vuln/detail/CVE-2019-9658

[big-guy]

From checkstyle/checkstyle#6474, it looks like only <8.11 are definitely affected by default? IIUC, if you have custom configuration, you might be affected with 8.11-8.17.

From 8.11 version checkstyle do not rely on remove DTDs if you use standard config, with standard DTDs.

As of this writing,
Gradle 5.2.1 ships with Checkstyle 8.12
Gradle 5.3 RCs are using Checkstyle 8.17

[JLLeitschuh]

Looking back at my notes on this research and the comments, yes, you are correct.

The reason I originally found this vulnerability requiring me to responsibility disclose it to the checkstyle team was that I found my build would fail due to checkstyle if I ran it in offline mode with the internet disconnected.

I originally setup checkstyle sometime in the Gradle 4.x series.

[britter]

Fixed in 1be126f

[hstonec]

Hi, our team still uses Gradle 5.6.3 which seems that we cannot get this fix. Is it possible to also apply the fix to 5.6.3 ?

[JLLeitschuh]

@hstonec Simply upgrade the version of CheckStyle that your build relies upon.

https://docs.gradle.org/current/dsl/org.gradle.api.plugins.quality.CheckstyleExtension.html#org.gradle.api.plugins.quality.CheckstyleExtension:toolVersion

checkstyle {
  toolVersion = ...
}