Note that the clustering component is optional. You can remove it if you don't need it.
Andreas On Sun, Feb 28, 2021 at 10:22 AM Andrew Marlow <[email protected]> wrote: > Hello everyone, > > I've discovered that a dependency in the axi2 clustering component makes > axis2 vulnerable to CVE-2020-0822, filed against tomcat, which has a NIST > score of 8.4 high. > > A maven dependency analysis shows this: > > INFO [m] +- org.apache.axis2:axis2-clustering:jar:1.8.0-SNAPSHOT:compile > INFO [m] | +- org.apache.tomcat:tribes:jar:6.0.53:compile > INFO [m] | \- org.apache.tomcat:juli:jar:6.0.53:compile > > I don't understand why axis2 depends on tomcat. Can someone explain please? > > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk > >
