[jira] [Updated] (IGNITE-13601) Ignite-rest-http and ignite-kubernetes include vulnerable dependencies

Tue, 20 Oct 2020 10:56:28 -0700 


     [ 
https://issues.apache.org/jira/browse/IGNITE-13601?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Story updated IGNITE-13601:
----------------------------------
    Description: 
The ignite-rest-http and ignite-kubernetes modules include a vulnerable version 
of the jackson-databind library. This was spotted in 2.8.1.

This component jackson-databind-2.9.6.jar is flagged as having numerous 
critical, high and medium security vulnerabilities, one of which is 
described here: 
[https://nvd.nist.gov/vuln/detail/CVE-2019-14540]

More here:

[http://apache-ignite-users.70518.x6.nabble.com/Critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-jackson-r-td34032.html]

 

  was:
The ignite-rest-http module includes a [vulnerable 
version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. 
It also appears to include slf4j. Why does the REST API include its own logging 
libraries?

This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.

More here:

http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html


> Ignite-rest-http and ignite-kubernetes include vulnerable dependencies
> ----------------------------------------------------------------------
>
>                 Key: IGNITE-13601
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13601
>             Project: Ignite
>          Issue Type: Bug
>          Components: rest
>    Affects Versions: 2.8.1
>            Reporter: Andrew Story
>            Priority: Critical
>
> The ignite-rest-http and ignite-kubernetes modules include a vulnerable 
> version of the jackson-databind library. This was spotted in 2.8.1.
> This component jackson-databind-2.9.6.jar is flagged as having numerous 
> critical, high and medium security vulnerabilities, one of which is 
> described here: 
> [https://nvd.nist.gov/vuln/detail/CVE-2019-14540]
> More here:
> [http://apache-ignite-users.70518.x6.nabble.com/Critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-jackson-r-td34032.html]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to