On Mon, Aug 6, 2018 at 1:21 PM Martin H <axis2use...@gmail.com> wrote: > > Hi Andreas > > I don't think so - we have a load balancer (Netscaler) in front of the > solution that handles the distribution to the nodes running the application > which uses Axis2. But no clustering/load-balancing that Axis2 is aware of. Is > there a way to determine for sure if it is enabled/disabled?
I think the way to check that is to look for a <cluster> element in axis2.xml. > > Assuming we don't use clustering support: > > 1) Is it safe to remove those JAR files from the classpath if we don't use > clustering support? Yes. > 2) Will the files pose a threat if on the classpath even with clustering > support disabled? Unlikely, but better to remove them. > > I guess with respect #2 the safest thing to omit the JAR's altogether because > some vulns can be triggered just by having the code on the classpath (i.e. > deserialization etc.). > > Br, Martin > > BR, Martin > > On Mon, Aug 6, 2018 at 2:11 PM, Andreas Veithen <andreas.veit...@gmail.com> > wrote: >> >> These libraries are dependencies of axis2-clustering. Are you using >> the clustering support? >> >> Andreas >> >> On Mon, Aug 6, 2018 at 11:13 AM axis2user82 <axis2use...@gmail.com> wrote: >> > >> > Hi >> > >> > Sorry if you are getting this mail twice, but I sent it before having >> > finished subscribing, so I was unsure if it reached the list. >> > >> > We have recently integrated the OWASP Dependency Checker into our >> > CI-setup, and it has flagged two libraries as potentially problematic >> > (i.e. affected by serious CVE's), namely tribes-6.0.16.jar & >> > juli-6.0.16.jar. It turns out those are actually dependencies for Axis2. >> > Both JAR files seem to be part of Tomcat 6. Question is, how should we >> > react to this finding? Are the CVE's for those libraries not relevant when >> > used in the context of Axis2, since they haven't been updated(the latest >> > version of Axis2 still ships those versions)? >> > >> > Thanks! >> > >> > BR, Martin >> > >> > --- >> > >> > Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence >> > Evidence Count >> > >> > tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 >> > cpe:/a:apache_software_foundation:tomcat:6.0.16 >> > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 >> > ✓ High 66 Highest 18 >> > >> > >> > juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 >> > cpe:/a:apache_software_foundation:tomcat:6.0.16 >> > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ >> > High 66 Highest 16 >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org >> For additional commands, e-mail: java-user-h...@axis.apache.org >> > --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
