[
https://issues.apache.org/jira/browse/KARAF-7888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17905976#comment-17905976
]
Jean-Baptiste Onofré edited comment on KARAF-7888 at 1/16/25 6:37 AM:
----------------------------------------------------------------------
Here's my analyzes:
* woodstox is used in the stax2 spec feature
* xnio-api is not directly defined by Karaf (it's a transitive dependency)
* snakeyaml has been already updated to 2.2 (fixing the CVE) in the
jackson-jaxrs feature
* undertow is not defined in Karaf (it's coming via Pax Web)
So, there's nothing directly in Karaf, I keep this Jira open for next release
to cleanup/update the features.
was (Author: jbonofre):
Here's my analyzes:
* woodstox is used in the stax2 spec feature
* xnio-api is not directly defined by Karaf (it's a transitive dependency)
* snakeyaml has been already updated to 2.2 (fixing the CVE) in the
jackson-jaxrs feature
* undertow is not defined in Karaf (it's coming via Pax Web)
So, I'm updating woodstox and undertow (in Pax Web).
> Stepup snakeyaml, undertow, xnio and woodstox to solve CVEs
> ------------------------------------------------------------
>
> Key: KARAF-7888
> URL: https://issues.apache.org/jira/browse/KARAF-7888
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.6
> Environment: Linux
> Reporter: Sadeesh
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Labels: dependency-upgrade, security
>
> We use Karaf 4.4.6 that packs karaf standard features and specs. We found
> that below 3PPs comes from those features and affected by CVEs.
> woodstox-core-6.2.8.jar --> CVE-2022-40152
> xnio-api-3.8.11.Final.jar --> CVE-2023-5685
> snakeyaml-1.33.jar --> CVE-2022-1471
> undertow-core-2.2.31.Final.jar --> CVE-2023-1973, CVE-2024-6162,
> CVE-2024-5971 & CVE-2024-7885
> undertow-servlet-2.2.31.Final.jar --> CVE-2023-1973
> Please bump up to newer version that solves the vulnerability.
> *Using below plugin in our maven pom:*
> {{<plugin>}}
> {{ <groupId>org.apache.karaf.tooling</groupId>}}
> {{ <artifactId>karaf-maven-plugin</artifactId>}}
> {{ <version>4.4.6</version>}}
> {{ <extensions>true</extensions>}}
> {{ <executions>}}
> {{ <execution>}}
> {{ <id>features-add-to-repo</id>}}
> {{ <phase>generate-resources</phase>}}
> {{ <goals>}}
> {{ <goal>features-add-to-repository</goal>}}
> {{ </goals>}}
> {{ </execution>}}
> {{ </executions>}}
> {{ <configuration>}}
> {{ <descriptors>}}
> {{
> <descriptor>mvn:org.apache.karaf.features/standard/4.4.6/xml/features</descriptor>}}
> {{
> <descriptor>mvn:org.apache.karaf.features/specs/4.4.6/xml/features</descriptor>}}
> {{ </descriptors>}}
> {{ <installedFeatures>}}
> {{ <feature>war</feature>}}
> {{ </installedFeatures>}}
> {{ <bootFeature />}}
> {{ <repository>target/features-repo</repository>}}
> {{ </configuration>}}
> {{</plugin>}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
