timus1 created IGNITE-20756:
-------------------------------
Summary: Partially unresolved OOM issue in thin client protocol
handler caused by malicious or garbage data.
Key: IGNITE-20756
URL: https://issues.apache.org/jira/browse/IGNITE-20756
Project: Ignite
Issue Type: Bug
Components: thin client
Affects Versions: 2.15
Reporter: timus1
I understand that Issue Ignite-15921 is fixed in the 2.13 and above version of
Ignite. I use the ignite-core 2.15 library in software, I do security scan
software and dependent libraries through Nexus IQ. Nexus IQ report
(sonatype-2021-4292) suggests that the fix in the ignite-core 2.15 via the
above issue is partly fixed and does not address all the vulnerable code. They
provided an advice deviation notice for ignite-core: 2.15.0, which I pasted
below. I want to confirm if the ignite community agrees with this finding for
the 2.15 version. If yes, Could you please consider addressing this
vulnerability?
Advisories
Project[https://github.com/apache/ignite/pull/9610]
Projecthttps://issues.apache.org/jira/browse/IGNITE-15921
_Advisory Deviation Notice from Nexus IQ report:_ The Sonatype security
research team discovered that the {{{}read(){}}}method in the
{{GridNioServerBuffer}} class, also has the vulnerable portion of code in it
and was not taken into account in the fix (IGNITE-15921).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
