[
https://issues.apache.org/jira/browse/KARAF-7888?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sadeesh updated KARAF-7888:
---------------------------
Description:
We use Karaf 4.4.6 that packs karaf standard features and specs. We found that
below 3PPs comes from those features and affected by CVEs.
woodstox-core-6.2.8.jar --> CVE-2022-40152
xnio-api-3.8.11.Final.jar --> CVE-2023-5685
snakeyaml-1.33.jar --> CVE-2022-1471
undertow-core-2.2.31.Final.jar --> CVE-2023-1973, CVE-2024-6162, CVE-2024-5971
& CVE-2024-7885
undertow-servlet-2.2.31.Final.jar --> CVE-2023-1973
Please bump up to newer version that solves the vulnerability.
*Using below plugin in our maven pom:*
{{<plugin>}}
{{ <groupId>org.apache.karaf.tooling</groupId>}}
{{ <artifactId>karaf-maven-plugin</artifactId>}}
{{ <version>4.4.6</version>}}
{{ <extensions>true</extensions>}}
{{ <executions>}}
{{ <execution>}}
{{ <id>features-add-to-repo</id>}}
{{ <phase>generate-resources</phase>}}
{{ <goals>}}
{{ <goal>features-add-to-repository</goal>}}
{{ </goals>}}
{{ </execution>}}
{{ </executions>}}
{{ <configuration>}}
{{ <descriptors>}}
{{
<descriptor>mvn:org.apache.karaf.features/standard/4.4.6/xml/features</descriptor>}}
{{
<descriptor>mvn:org.apache.karaf.features/specs/4.4.6/xml/features</descriptor>}}
{{ </descriptors>}}
{{ <installedFeatures>}}
{{ <feature>war</feature>}}
{{ </installedFeatures>}}
{{ <bootFeature />}}
{{ <repository>target/features-repo</repository>}}
{{ </configuration>}}
{{</plugin>}}
was:
We use Karaf 4.4.6 that packs the below 3PPs and affected by CVEs.
woodstox-core-6.2.8.jar --> CVE-2022-40152{*}{*}
xnio-api-3.8.11.Final.jar --> CVE-2023-5685
snakeyaml-1.33.jar --> CVE-2022-1471
undertow-core-2.2.31.Final.jar --> CVE-2023-1973, CVE-2024-6162, CVE-2024-5971
& CVE-2024-7885
undertow-servlet-2.2.31.Final.jar --> CVE-2023-1973
Please bump up to newer version that solves the vulnerability.
> Stepup snakeyaml, undertow, xnio and woodstox to solve CVEs
> ------------------------------------------------------------
>
> Key: KARAF-7888
> URL: https://issues.apache.org/jira/browse/KARAF-7888
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.6
> Environment: Linux
> Reporter: Sadeesh
> Priority: Major
> Labels: dependency-upgrade, security
>
> We use Karaf 4.4.6 that packs karaf standard features and specs. We found
> that below 3PPs comes from those features and affected by CVEs.
> woodstox-core-6.2.8.jar --> CVE-2022-40152
> xnio-api-3.8.11.Final.jar --> CVE-2023-5685
> snakeyaml-1.33.jar --> CVE-2022-1471
> undertow-core-2.2.31.Final.jar --> CVE-2023-1973, CVE-2024-6162,
> CVE-2024-5971 & CVE-2024-7885
> undertow-servlet-2.2.31.Final.jar --> CVE-2023-1973
> Please bump up to newer version that solves the vulnerability.
> *Using below plugin in our maven pom:*
> {{<plugin>}}
> {{ <groupId>org.apache.karaf.tooling</groupId>}}
> {{ <artifactId>karaf-maven-plugin</artifactId>}}
> {{ <version>4.4.6</version>}}
> {{ <extensions>true</extensions>}}
> {{ <executions>}}
> {{ <execution>}}
> {{ <id>features-add-to-repo</id>}}
> {{ <phase>generate-resources</phase>}}
> {{ <goals>}}
> {{ <goal>features-add-to-repository</goal>}}
> {{ </goals>}}
> {{ </execution>}}
> {{ </executions>}}
> {{ <configuration>}}
> {{ <descriptors>}}
> {{
> <descriptor>mvn:org.apache.karaf.features/standard/4.4.6/xml/features</descriptor>}}
> {{
> <descriptor>mvn:org.apache.karaf.features/specs/4.4.6/xml/features</descriptor>}}
> {{ </descriptors>}}
> {{ <installedFeatures>}}
> {{ <feature>war</feature>}}
> {{ </installedFeatures>}}
> {{ <bootFeature />}}
> {{ <repository>target/features-repo</repository>}}
> {{ </configuration>}}
> {{</plugin>}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
