There are two known vulnerabilities in the C/C++ implementation of International Components for Unicode (ICU): CVE-2017-7867 and CVE-2017-7868.
Dependency checker is correctly identifying icu4j version 58.2 as what it is, but is then associating it with these two CVEs, which is not correct as they don't affect the java implementation (insofar as the research I've done shows).
Log attached:
dependency-check.log.zip
<dependency>
<fileName>icu4j-58.2.jar</fileName>
<filePath>/root/.gradle/caches/modules-2/files-2.1/com.ibm.icu/icu4j/58.2/db9fd4b4c189cf1518db14c67d14a2cfcfbe59f6/icu4j-58.2.jar</filePath>
<md5>605d8a0276a280ff6332c3bd26071180</md5>
<sha1>db9fd4b4c189cf1518db14c67d14a2cfcfbe59f6</sha1>
<description>
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
providing Unicode and Globalization support
</description>
<license>Unicode/ICU License: http://source.icu-project.org/repos/icu/trunk/icu4j/main/shared/licenses/LICENSE</license>
<evidenceCollected>
<evidence type="vendor" confidence="HIGHEST">
<source>central</source>
<name>groupid</name>
<value>com.ibm.icu</value>
</evidence>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>icu4j</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>jar</source>
<name>package name</name>
<value>ibm</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>jar</source>
<name>package name</name>
<value>icu</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>Manifest</source>
<name>bundle-copyright</name>
<value>Copyright 2000-2016, International Business Machines Corporation and others. All Rights Reserved.</value>
</evidence>
<evidence type="vendor" confidence="MEDIUM">
<source>manifest</source>
<name>Bundle-Description</name>
<value>International Components for Unicode for Java</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>Manifest</source>
<name>bundle-requiredexecutionenvironment</name>
<value>JavaSE-1.6</value>
</evidence>
<evidence type="vendor" confidence="MEDIUM">
<source>Manifest</source>
<name>bundle-symbolicname</name>
<value>com.ibm.icu</value>
</evidence>
<evidence type="vendor" confidence="HIGH">
<source>Manifest</source>
<name>Implementation-Vendor</name>
<value>IBM Corporation</value>
</evidence>
<evidence type="vendor" confidence="MEDIUM">
<source>Manifest</source>
<name>Implementation-Vendor-Id</name>
<value>com.ibm</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>Manifest</source>
<name>specification-vendor</name>
<value>icu-project.org</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>pom</source>
<name>artifactid</name>
<value>icu4j</value>
</evidence>
<evidence type="vendor" confidence="LOW">
<source>pom</source>
<name>description</name>
<value>International Component for Unicode for Java (ICU4J) is a mature, widely used Java library providing Unicode and Globalization support</value>
</evidence>
<evidence type="vendor" confidence="HIGHEST">
<source>pom</source>
<name>groupid</name>
<value>ibm.icu</value>
</evidence>
<evidence type="vendor" confidence="HIGH">
<source>pom</source>
<name>name</name>
<value>ICU4J</value>
</evidence>
<evidence type="vendor" confidence="HIGHEST">
<source>pom</source>
<name>url</name>
<value>http://icu-project.org/</value>
</evidence>
<evidence type="product" confidence="HIGHEST">
<source>central</source>
<name>artifactid</name>
<value>icu4j</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>icu4j</value>
</evidence>
<evidence type="product" confidence="LOW">
<source>jar</source>
<name>package name</name>
<value>icu</value>
</evidence>
<evidence type="product" confidence="LOW">
<source>Manifest</source>
<name>bundle-copyright</name>
<value>Copyright 2000-2016, International Business Machines Corporation and others. All Rights Reserved.</value>
</evidence>
<evidence type="product" confidence="MEDIUM">
<source>manifest</source>
<name>Bundle-Description</name>
<value>International Components for Unicode for Java</value>
</evidence>
<evidence type="product" confidence="MEDIUM">
<source>Manifest</source>
<name>Bundle-Name</name>
<value>ICU4J</value>
</evidence>
<evidence type="product" confidence="LOW">
<source>Manifest</source>
<name>bundle-requiredexecutionenvironment</name>
<value>JavaSE-1.6</value>
</evidence>
<evidence type="product" confidence="MEDIUM">
<source>Manifest</source>
<name>bundle-symbolicname</name>
<value>com.ibm.icu</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>Manifest</source>
<name>Implementation-Title</name>
<value>International Components for Unicode for Java</value>
</evidence>
<evidence type="product" confidence="MEDIUM">
<source>Manifest</source>
<name>specification-title</name>
<value>International Components for Unicode for Java</value>
</evidence>
<evidence type="product" confidence="HIGHEST">
<source>pom</source>
<name>artifactid</name>
<value>icu4j</value>
</evidence>
<evidence type="product" confidence="LOW">
<source>pom</source>
<name>description</name>
<value>International Component for Unicode for Java (ICU4J) is a mature, widely used Java library providing Unicode and Globalization support</value>
</evidence>
<evidence type="product" confidence="LOW">
<source>pom</source>
<name>groupid</name>
<value>ibm.icu</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>pom</source>
<name>name</name>
<value>ICU4J</value>
</evidence>
<evidence type="version" confidence="HIGHEST">
<source>central</source>
<name>version</name>
<value>58.2</value>
</evidence>
<evidence type="version" confidence="HIGHEST">
<source>file</source>
<name>version</name>
<value>58.2</value>
</evidence>
<evidence type="version" confidence="HIGH">
<source>Manifest</source>
<name>Implementation-Version</name>
<value>58.2</value>
</evidence>
<evidence type="version" confidence="HIGHEST">
<source>pom</source>
<name>version</name>
<value>58.2</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifier type="maven" confidence="HIGHEST">
<name>(com.ibm.icu:icu4j:58.2)</name>
<url>http://search.maven.org/remotecontent?filepath=com/ibm/icu/icu4j/58.2/icu4j-58.2.jar</url>
</identifier>
<identifier type="cpe" confidence="HIGHEST">
<name>(cpe:/a:icu_project:international_components_for_unicode:58.2)</name>
<url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aicu_project%3Ainternational_components_for_unicode%3A58.2</url>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-2017-7868</name>
<cvssScore>5.0</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>NONE</cvssConfidentialImpact>
<cvssIntegrityImpact>NONE</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>Medium</severity>
<cwe>CWE-787 Out-of-bounds Write</cwe>
<description>International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.</description>
<references>
<reference>
<source>MISC</source>
<url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437</url>
<name>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437</name>
</reference>
<reference>
<source>BID</source>
<url>http://www.securityfocus.com/bid/97674</url>
<name>97674</name>
</reference>
<reference>
<source>MISC</source>
<url>http://bugs.icu-project.org/trac/changeset/39671</url>
<name>http://bugs.icu-project.org/trac/changeset/39671</name>
</reference>
</references>
<vulnerableSoftware>
<software allPreviousVersion="true">cpe:/a:icu_project:international_components_for_unicode:58.2</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability>
<name>CVE-2017-7867</name>
<cvssScore>5.0</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>NONE</cvssConfidentialImpact>
<cvssIntegrityImpact>NONE</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>Medium</severity>
<cwe>CWE-787 Out-of-bounds Write</cwe>
<description>International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.</description>
<references>
<reference>
<source>MISC</source>
<url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213</url>
<name>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213</name>
</reference>
<reference>
<source>MISC</source>
<url>http://bugs.icu-project.org/trac/changeset/39671</url>
<name>http://bugs.icu-project.org/trac/changeset/39671</name>
</reference>
<reference>
<source>BID</source>
<url>http://www.securityfocus.com/bid/97672</url>
<name>97672</name>
</reference>
</references>
<vulnerableSoftware>
<software allPreviousVersion="true">cpe:/a:icu_project:international_components_for_unicode:58.2</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
There are two known vulnerabilities in the C/C++ implementation of International Components for Unicode (ICU): CVE-2017-7867 and CVE-2017-7868.
Dependency checker is correctly identifying icu4j version 58.2 as what it is, but is then associating it with these two CVEs, which is not correct as they don't affect the java implementation (insofar as the research I've done shows).
Log attached:
dependency-check.log.zip