[jira] [Resolved] (OAK-9491) Address vulnerabilities found by dependency checker plugin

[Julian Reschke (Jira)]

     [ 
https://issues.apache.org/jira/browse/OAK-9491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julian Reschke resolved OAK-9491.
---------------------------------
    Fix Version/s: 1.58.0
         Assignee: Julian Reschke  (was: Andrei Dulceanu)
       Resolution: Fixed

Oak now shades Guava, and uses the most recent version.

Two modules are left (*azure) which have Guava as transitive dependency, and 
these now embed it.


> Address vulnerabilities found by dependency checker plugin
> ----------------------------------------------------------
>
>                 Key: OAK-9491
>                 URL: https://issues.apache.org/jira/browse/OAK-9491
>             Project: Jackrabbit Oak
>          Issue Type: Task
>    Affects Versions: 1.40.0, 1.22.7
>            Reporter: Andrei Dulceanu
>            Assignee: Julian Reschke
>            Priority: Major
>             Fix For: 1.58.0
>
>
> {noformat}
> One or more dependencies were identified with known vulnerabilities in 
> Jackrabbit Oak:aggs-matrix-stats-client-7.1.1.jar 
> (pkg:maven/org.elasticsearch.plugin/aggs-matrix-stats-client@7.1.1, 
> cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, 
> cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, 
> CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, 
> CVE-2020-7021
> bcprov-jdk15on-1.65.jar (pkg:maven/org.bouncycastle/bcprov-jdk15on@1.65, 
> cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*)
>  : CVE-2020-28052
> commons-io-2.6.jar (pkg:maven/commons-io/commons-io@2.6, 
> cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425
> cxf-core-3.3.6.jar (pkg:maven/org.apache.cxf/cxf-core@3.3.6, 
> cpe:2.3:a:apache:cxf:3.3.6:*:*:*:*:*:*:*) : CVE-2020-13954, CVE-2021-22696, 
> CVE-2021-30468
> elasticsearch-core-7.1.1.jar 
> (pkg:maven/org.elasticsearch/elasticsearch-core@7.1.1, 
> cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, 
> cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, 
> CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, 
> CVE-2020-7021
> fluent-hc-4.5.12.jar (pkg:maven/org.apache.httpcomponents/fluent-hc@4.5.12, 
> cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
> groovy-2.5.2.jar (pkg:maven/org.codehaus.groovy/groovy@2.5.2, 
> cpe:2.3:a:apache:groovy:2.5.2:*:*:*:*:*:*:*) : CVE-2020-17521
> groovy-all-2.4.17.jar (pkg:maven/org.codehaus.groovy/groovy-all@2.4.17, 
> cpe:2.3:a:apache:groovy:2.4.17:*:*:*:*:*:*:*) : CVE-2020-17521
> guava-15.0.jar (pkg:maven/com.google.guava/guava@15.0, 
> cpe:2.3:a:google:guava:15.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
> guava-18.0.jar (pkg:maven/com.google.guava/guava@18.0, 
> cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
> hibernate-validator-5.3.6.Final.jar 
> (pkg:maven/org.hibernate/hibernate-validator@5.3.6.Final, 
> cpe:2.3:a:hibernate:hibernate-validator:5.3.6:*:*:*:*:*:*:*, 
> cpe:2.3:a:redhat:hibernate_validator:5.3.6:*:*:*:*:*:*:*) : CVE-2020-10693
> http2-client-9.4.27.v20200227.jar 
> (pkg:maven/org.eclipse.jetty.http2/http2-client@9.4.27.v20200227, 
> cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:9.4.27:20200227:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2019-17638, 
> CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, 
> CVE-2021-28169, CVE-2021-34428
> httpclient-4.5.12.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.5.12, 
> cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
> httpclient-osgi-4.5.12.jar/META-INF/maven/org.apache.httpcomponents/httpclient-cache/pom.xml
>  (pkg:maven/org.apache.httpcomponents/httpclient-cache@4.5.12, 
> cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
> jackson-databind-2.10.3.jar 
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3, 
> cpe:2.3:a:fasterxml:jackson-databind:2.10.3:*:*:*:*:*:*:*) : CVE-2020-25649
> java-xmlbuilder-1.1.jar (pkg:maven/com.jamesmurty.utils/java-xmlbuilder@1.1) 
> : CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
> javax-websocket-server-impl-9.4.18.v20190429.jar 
> (pkg:maven/org.eclipse.jetty.websocket/javax-websocket-server-impl@9.4.18.v20190429,
>  cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, 
> CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> javax.servlet-3.0.0.v201112011016.jar 
> (pkg:maven/org.eclipse.jetty.orbit/javax.servlet@3.0.0.v201112011016, 
> cpe:2.3:a:eclipse:jetty:3.0.0:201112011016:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:3.0.0:201112011016:*:*:*:*:*:*) : CVE-2009-5045, 
> CVE-2009-5046, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2020-27216, 
> CVE-2021-28169, CVE-2021-34428
> javax.websocket-api-1.0.jar 
> (pkg:maven/javax.websocket/javax.websocket-api@1.0, 
> cpe:2.3:a:java-websocket_project:java-websocket:1.0:*:*:*:*:*:*:*) : 
> CVE-2020-11050
> jdom2-2.0.6.jar (pkg:maven/org.jdom/jdom2@2.0.6, 
> cpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*) : CVE-2021-33813
> jetty-http-9.4.27.v20200227.jar 
> (pkg:maven/org.eclipse.jetty/jetty-http@9.4.27.v20200227, 
> cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:9.4.27:20200227:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2019-17638, 
> CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, 
> CVE-2021-28169, CVE-2021-34428
> jetty-io-8.2.0.v20160908.jar 
> (pkg:maven/org.eclipse.jetty/jetty-io@8.2.0.v20160908, 
> cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2021-28165
> jetty-io-9.4.18.v20190429.jar 
> (pkg:maven/org.eclipse.jetty/jetty-io@9.4.18.v20190429, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2021-28165
> jetty-io-9.4.27.v20200227.jar 
> (pkg:maven/org.eclipse.jetty/jetty-io@9.4.27.v20200227, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2021-28165
> jetty-server-8.2.0.v20160908.jar 
> (pkg:maven/org.eclipse.jetty/jetty-server@8.2.0.v20160908, 
> cpe:2.3:a:eclipse:jetty:8.2.0:20160908:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:8.2.0:20160908:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2017-7656, 
> CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241, CVE-2019-10247, 
> CVE-2020-27216, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> jetty-server-9.4.18.v20190429.jar 
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429, 
> cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, 
> CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> jetty-util-8.2.0.v20160908.jar 
> (pkg:maven/org.eclipse.jetty/jetty-util@8.2.0.v20160908, 
> cpe:2.3:a:eclipse:jetty:8.2.0:20160908:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:8.2.0:20160908:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2017-7656, 
> CVE-2017-7657, CVE-2017-7658, CVE-2019-10247, CVE-2020-27216, CVE-2021-28165, 
> CVE-2021-28169, CVE-2021-34428
> junit-4.12.jar (pkg:maven/junit/junit@4.12) : CVE-2020-15250
> lang-mustache-client-7.1.1.jar 
> (pkg:maven/org.elasticsearch.plugin/lang-mustache-client@7.1.1, 
> cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, 
> cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, 
> CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, 
> CVE-2020-7021
> log4j-1.2.16.jar (pkg:maven/log4j/log4j@1.2.16, 
> cpe:2.3:a:apache:log4j:1.2.16:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9488
> log4j-1.2.17.jar (pkg:maven/log4j/log4j@1.2.17, 
> cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9488
> log4j-api-2.11.1.jar (pkg:maven/org.apache.logging.log4j/log4j-api@2.11.1, 
> cpe:2.3:a:apache:log4j:2.11.1:*:*:*:*:*:*:*) : CVE-2020-9488
> log4j-over-slf4j-1.7.30.jar (pkg:maven/org.slf4j/log4j-over-slf4j@1.7.30, 
> cpe:2.3:a:apache:log4j:1.7.30:*:*:*:*:*:*:*) : CVE-2020-9488
> mongo-java-driver-3.12.7.jar (pkg:maven/org.mongodb/mongo-java-driver@3.12.7, 
> cpe:2.3:a:mongodb:java_driver:3.12.7:*:*:*:*:*:*:*) : CVE-2021-20328
> netty-3.7.0.Final.jar (pkg:maven/io.netty/netty@3.7.0.Final, 
> cpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488, 
> CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, 
> CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, POODLE vulnerability in 
> SSLv3.0 support
> netty-transport-4.1.47.Final.jar 
> (pkg:maven/io.netty/netty-transport@4.1.47.Final, 
> cpe:2.3:a:netty:netty:4.1.47:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, 
> CVE-2021-21409
> netty-transport-4.1.52.Final.jar 
> (pkg:maven/io.netty/netty-transport@4.1.52.Final, 
> cpe:2.3:a:netty:netty:4.1.52:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, 
> CVE-2021-21409
> oak-jackrabbit-api-1.34.0.jar 
> (pkg:maven/org.apache.jackrabbit/oak-jackrabbit-api@1.34.0, 
> cpe:2.3:a:apache:jackrabbit:1.34.0:*:*:*:*:*:*:*, 
> cpe:2.3:a:apache:jackrabbit_oak:1.34.0:*:*:*:*:*:*:*) : CVE-2015-1833
> oak-segment-1.6.0.jar (pkg:maven/org.apache.jackrabbit/oak-segment@1.6.0, 
> cpe:2.3:a:apache:jackrabbit:1.6.0:*:*:*:*:*:*:*, 
> cpe:2.3:a:apache:jackrabbit_oak:1.6.0:*:*:*:*:*:*:*) : CVE-2015-1833, 
> CVE-2020-1940
> org.apache.felix.webconsole-4.2.10-all.jar: jquery-1.8.3.js 
> (pkg:javascript/jquery@1.8.3) : CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, 
> CVE-2020-11022, CVE-2020-11023
> org.apache.felix.webconsole-4.2.10-all.jar: jquery-ui-1.9.2.js 
> (pkg:javascript/jquery-ui-dialog@1.9.2, 
> pkg:javascript/jquery-ui-tooltip@1.9.2) : CVE-2010-5312, CVE-2012-6662, 
> CVE-2016-7103
> pom.xml (pkg:maven/org.apache.jackrabbit/oak-jackrabbit-api@1.22.8-SNAPSHOT, 
> cpe:2.3:a:apache:jackrabbit:1.22.8:snapshot:*:*:*:*:*:*, 
> cpe:2.3:a:apache:jackrabbit_oak:1.22.8:snapshot:*:*:*:*:*:*) : CVE-2015-1833
> pom.xml (pkg:maven/org.apache.jackrabbit/oak-solr-core@1.22.8-SNAPSHOT, 
> cpe:2.3:a:apache:jackrabbit_oak:1.22.8:snapshot:*:*:*:*:*:*, 
> cpe:2.3:a:apache:solr:1.22.8:snapshot:*:*:*:*:*:*) : CVE-2012-6612, 
> CVE-2013-6397, CVE-2013-6407, CVE-2013-6408, CVE-2015-8795, CVE-2015-8796, 
> CVE-2015-8797, CVE-2017-3163, CVE-2017-3164, CVE-2018-11802, CVE-2018-1308, 
> CVE-2019-0193, CVE-2020-13941, CVE-2021-27905, CVE-2021-29262, CVE-2021-29943
> org.apache.servicemix.bundles.dom4j-2.1.1_1.jar 
> (pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.dom4j@2.1.1_1,
>  cpe:2.3:a:dom4j_project:dom4j:2.1.1.1:*:*:*:*:*:*:*) : CVE-2020-10683
> org.apache.sling.commons.logservice-1.0.4.jar 
> (pkg:maven/org.apache.sling/org.apache.sling.commons.logservice@1.0.4, 
> cpe:2.3:a:apache:sling:1.0.4:*:*:*:*:*:*:*) : CVE-2016-5394, CVE-2016-6798
> parent-join-client-7.1.1.jar 
> (pkg:maven/org.elasticsearch.plugin/parent-join-client@7.1.1, 
> cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, 
> cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, 
> CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, 
> CVE-2020-7021
> pdfbox-2.0.19.jar (pkg:maven/org.apache.pdfbox/pdfbox@2.0.19, 
> cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, 
> CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
> preflight-2.0.19.jar (pkg:maven/org.apache.pdfbox/preflight@2.0.19, 
> cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, 
> CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
> rank-eval-client-7.1.1.jar 
> (pkg:maven/org.elasticsearch.plugin/rank-eval-client@7.1.1, 
> cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, 
> cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, 
> CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, 
> CVE-2020-7021
> sentiment-analysis-parser-0.1.jar 
> (pkg:maven/edu.usc.ir/sentiment-analysis-parser@0.1, 
> cpe:2.3:a:data_tools_project:data_tools:0.1:*:*:*:*:*:*:*) : CVE-2018-18749
> sis-netcdf-1.0.jar (pkg:maven/org.apache.sis.storage/sis-netcdf@1.0, 
> cpe:2.3:a:storage_project:storage:1.0:*:*:*:*:*:*:*) : CVE-2021-20291
> snakeyaml-1.17.jar (pkg:maven/org.yaml/snakeyaml@1.17, 
> cpe:2.3:a:snakeyaml_project:snakeyaml:1.17:*:*:*:*:*:*:*) : CVE-2017-18640
> solr-solrj-8.6.3.jar (pkg:maven/org.apache.solr/solr-solrj@8.6.3, 
> cpe:2.3:a:apache:solr:8.6.3:*:*:*:*:*:*:*) : CVE-2021-27905, CVE-2021-29262, 
> CVE-2021-29943
> spring-core-4.3.24.RELEASE.jar 
> (pkg:maven/org.springframework/spring-core@4.3.24.RELEASE, 
> cpe:2.3:a:pivotal_software:spring_framework:4.3.24:release:*:*:*:*:*:*, 
> cpe:2.3:a:springsource:spring_framework:4.3.24:release:*:*:*:*:*:*, 
> cpe:2.3:a:vmware:spring_framework:4.3.24:release:*:*:*:*:*:*, 
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.24:release:*:*:*:*:*:*) : 
> CVE-2020-5421
> tagsoup-1.2.1.jar (pkg:maven/org.ccil.cowan.tagsoup/tagsoup@1.2.1, 
> cpe:2.3:a:tag_project:tag:1.2.1:*:*:*:*:*:*:*) : CVE-2020-29242, 
> CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
> tika-core-1.24.1.jar (pkg:maven/org.apache.tika/tika-core@1.24.1, 
> cpe:2.3:a:apache:tika:1.24.1:*:*:*:*:*:*:*) : CVE-2021-28657
> vorbis-java-tika-0.8.jar (pkg:maven/org.gagravarr/vorbis-java-tika@0.8, 
> cpe:2.3:a:flac_project:flac:0.8:*:*:*:*:*:*:*) : CVE-2017-6888
> websocket-common-9.4.18.v20190429.jar 
> (pkg:maven/org.eclipse.jetty.websocket/websocket-common@9.4.18.v20190429, 
> cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:websocket-extensions_project:websocket-extensions:9.4.18:20190429:*:*:*:*:*:*)
>  : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, 
> CVE-2021-28169, CVE-2021-34428
> websocket-server-9.4.18.v20190429.jar 
> (pkg:maven/org.eclipse.jetty.websocket/websocket-server@9.4.18.v20190429, 
> cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, 
> cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, 
> CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> xmpbox-2.0.19.jar (pkg:maven/org.apache.pdfbox/xmpbox@2.0.19, 
> cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, 
> CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
> zookeeper-3.4.6.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.4.6, 
> cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*) : CVE-2016-5017, 
> CVE-2017-5637, CVE-2018-8012, CVE-2019-0201, CVE-2021-21409
> zookeeper-3.5.7.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.5.7, 
> cpe:2.3:a:apache:zookeeper:3.5.7:*:*:*:*:*:*:*) : CVE-2021-21409
> -1,548 {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)