Thanks for your patience and effort on getting our attention on this. I often say there are no known CVE's in our repos, so it's great to get some community help here when vulnerabilities like this are not exposed from the Github tool Dependabot. Maybe Github has some more tools that would have caught this. I don't run these types of scans locally.
Anyways, I don't use Axis2 clustering myself and at some point Tomcat Tribes changed the MembershipService interface to include a getMembershipProvider() and setChannel() / getChannel() methods. I added those methods and it passed the unit tests though I didn't write any code that actually uses these methods. So I made a commit and it passed the unit tests (had to run as root to get past the security Exception I mentioned in an earlier email today). I need to time box this today. Any guidance from someone who uses clustering or is familiar with the Axis2 / Tribes code would be helpful. Regards, Robert On Mon, Mar 8, 2021 at 11:40 PM Andrew Marlow <[email protected]> wrote: > Hello Axis2 developers, > > Looking at the top level pom where we have the dependency on tomcat tribes > I see that the latest version is in use, 6.0.53. This version was released > April 2017. However, looking at where this is in a typical maven repo, at > https://mvnrepository.com/artifact/org.apache.tomcat/tribes, I see that > the artifact has relocated. It has changed from org.apache.tomcat to > tomcat-tribes. Nipping over to the new place at > https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-tribes I see > there has been more development and the latest release is 10.0.2, release > date Feb 2021. > > CVE-2020-8022 applies to tomcat 6.0.53 which has a score of 8.4 high from > NIST. The NIST report says this is still undergoing analysis so it is > unclear what version, if any, it is fixed in. However, surely the best > thing to do in order to close the vulnerability is to move to the latest > version, 10.0.2. I know this has a CVE as well, CVE-2021-25329, but that > has only very recently been filed. I'm sure that there will be a version > after 10.0.2 that addresses it. > > What do people think about moving over to version 10.0.2 please? > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk > >
