Hi Andreas I don't think so - we have a load balancer (Netscaler) in front of the solution that handles the distribution to the nodes running the application which uses Axis2. But no clustering/load-balancing that Axis2 is aware of. Is there a way to determine for sure if it is enabled/disabled?
Assuming we don't use clustering support: 1) Is it safe to remove those JAR files from the classpath if we don't use clustering support? 2) Will the files pose a threat if on the classpath even with clustering support disabled? I guess with respect #2 the safest thing to omit the JAR's altogether because some vulns can be triggered just by having the code on the classpath (i.e. deserialization etc.). Br, Martin BR, Martin On Mon, Aug 6, 2018 at 2:11 PM, Andreas Veithen <andreas.veit...@gmail.com> wrote: > These libraries are dependencies of axis2-clustering. Are you using > the clustering support? > > Andreas > > On Mon, Aug 6, 2018 at 11:13 AM axis2user82 <axis2use...@gmail.com> wrote: > > > > Hi > > > > Sorry if you are getting this mail twice, but I sent it before having > finished subscribing, so I was unsure if it reached the list. > > > > We have recently integrated the OWASP Dependency Checker into our > CI-setup, and it has flagged two libraries as potentially problematic (i.e. > affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It > turns out those are actually dependencies for Axis2. Both JAR files seem to > be part of Tomcat 6. Question is, how should we react to this finding? Are > the CVE's for those libraries not relevant when used in the context of > Axis2, since they haven't been updated(the latest version of Axis2 still > ships those versions)? > > > > Thanks! > > > > BR, Martin > > > > --- > > > > Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence > Evidence Count > > > > tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > > cpe:/a:apache_software_foundation:tomcat:6.0.16 > > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 > ✓ High 66 Highest 18 > > > > > > juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > > cpe:/a:apache_software_foundation:tomcat:6.0.16 > > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 > ✓ High 66 Highest 16 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org > For additional commands, e-mail: java-user-h...@axis.apache.org > >
