[jira] [Updated] (IGNITE-13464) Ignite-rest-http modules includes vulnerable dependencies

Tue, 21 Dec 2021 03:55:05 -0800 


     [ 
https://issues.apache.org/jira/browse/IGNITE-13464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergei Ryzhov updated IGNITE-13464:
-----------------------------------
    Description: 
The ignite-rest-http module includes a [vulnerable 
version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. 
It also appears to include slf4j. Why does the REST API include its own logging 
libraries?

This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.

More here:

http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html

  was:
The ignite-rest-http, zookeeper module includes a [vulnerable 
version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. 
It also appears to include slf4j. Why does the REST API include its own logging 
libraries?

This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.

More here:

http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html


> Ignite-rest-http modules includes vulnerable dependencies
> ---------------------------------------------------------
>
>                 Key: IGNITE-13464
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13464
>             Project: Ignite
>          Issue Type: Bug
>          Components: rest
>    Affects Versions: 2.9, 2.8.1
>            Reporter: Stephen Darlington
>            Assignee: Sergei Ryzhov
>            Priority: Blocker
>             Fix For: 2.12
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The ignite-rest-http module includes a [vulnerable 
> version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j 
> library. It also appears to include slf4j. Why does the REST API include its 
> own logging libraries?
> This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.
> More here:
> http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to