Re: Security vulnerabilities in Axis2 dependencies? "tribes" & "juli" JAR files
On Mon, Aug 6, 2018 at 1:21 PM Martin H wrote: > > Hi Andreas > > I don't think so - we have a load balancer (Netscaler) in front of the > solution that handles the distribution to the nodes running the application > which uses Axis2. But no clustering/load-balancing that Axis2 is aware of. Is > there a way to determine for sure if it is enabled/disabled? I think the way to check that is to look for a element in axis2.xml. > > Assuming we don't use clustering support: > > 1) Is it safe to remove those JAR files from the classpath if we don't use > clustering support? Yes. > 2) Will the files pose a threat if on the classpath even with clustering > support disabled? Unlikely, but better to remove them. > > I guess with respect #2 the safest thing to omit the JAR's altogether because > some vulns can be triggered just by having the code on the classpath (i.e. > deserialization etc.). > > Br, Martin > > BR, Martin > > On Mon, Aug 6, 2018 at 2:11 PM, Andreas Veithen > wrote: >> >> These libraries are dependencies of axis2-clustering. Are you using >> the clustering support? >> >> Andreas >> >> On Mon, Aug 6, 2018 at 11:13 AM axis2user82 wrote: >> > >> > Hi >> > >> > Sorry if you are getting this mail twice, but I sent it before having >> > finished subscribing, so I was unsure if it reached the list. >> > >> > We have recently integrated the OWASP Dependency Checker into our >> > CI-setup, and it has flagged two libraries as potentially problematic >> > (i.e. affected by serious CVE's), namely tribes-6.0.16.jar & >> > juli-6.0.16.jar. It turns out those are actually dependencies for Axis2. >> > Both JAR files seem to be part of Tomcat 6. Question is, how should we >> > react to this finding? Are the CVE's for those libraries not relevant when >> > used in the context of Axis2, since they haven't been updated(the latest >> > version of Axis2 still ships those versions)? >> > >> > Thanks! >> > >> > BR, Martin >> > >> > --- >> > >> > Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence >> > Evidence Count >> > >> > tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 >> > cpe:/a:apache_software_foundation:tomcat:6.0.16 >> > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 >> > ✓ High 66 Highest 18 >> > >> > >> > juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 >> > cpe:/a:apache_software_foundation:tomcat:6.0.16 >> > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ >> > High 66 Highest 16 >> > >> >> - >> To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org >> For additional commands, e-mail: java-user-h...@axis.apache.org >> > - To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
Re: Security vulnerabilities in Axis2 dependencies? "tribes" & "juli" JAR files
Hi Andreas I don't think so - we have a load balancer (Netscaler) in front of the solution that handles the distribution to the nodes running the application which uses Axis2. But no clustering/load-balancing that Axis2 is aware of. Is there a way to determine for sure if it is enabled/disabled? Assuming we don't use clustering support: 1) Is it safe to remove those JAR files from the classpath if we don't use clustering support? 2) Will the files pose a threat if on the classpath even with clustering support disabled? I guess with respect #2 the safest thing to omit the JAR's altogether because some vulns can be triggered just by having the code on the classpath (i.e. deserialization etc.). Br, Martin BR, Martin On Mon, Aug 6, 2018 at 2:11 PM, Andreas Veithen wrote: > These libraries are dependencies of axis2-clustering. Are you using > the clustering support? > > Andreas > > On Mon, Aug 6, 2018 at 11:13 AM axis2user82 wrote: > > > > Hi > > > > Sorry if you are getting this mail twice, but I sent it before having > finished subscribing, so I was unsure if it reached the list. > > > > We have recently integrated the OWASP Dependency Checker into our > CI-setup, and it has flagged two libraries as potentially problematic (i.e. > affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It > turns out those are actually dependencies for Axis2. Both JAR files seem to > be part of Tomcat 6. Question is, how should we react to this finding? Are > the CVE's for those libraries not relevant when used in the context of > Axis2, since they haven't been updated(the latest version of Axis2 still > ships those versions)? > > > > Thanks! > > > > BR, Martin > > > > --- > > > > Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence > Evidence Count > > > > tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > > cpe:/a:apache_software_foundation:tomcat:6.0.16 > > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 > ✓ High 66 Highest 18 > > > > > > juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > > cpe:/a:apache_software_foundation:tomcat:6.0.16 > > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 > ✓ High 66 Highest 16 > > > > - > To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org > For additional commands, e-mail: java-user-h...@axis.apache.org > >
Re: Security vulnerabilities in Axis2 dependencies? "tribes" & "juli" JAR files
These libraries are dependencies of axis2-clustering. Are you using the clustering support? Andreas On Mon, Aug 6, 2018 at 11:13 AM axis2user82 wrote: > > Hi > > Sorry if you are getting this mail twice, but I sent it before having > finished subscribing, so I was unsure if it reached the list. > > We have recently integrated the OWASP Dependency Checker into our CI-setup, > and it has flagged two libraries as potentially problematic (i.e. affected by > serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out > those are actually dependencies for Axis2. Both JAR files seem to be part of > Tomcat 6. Question is, how should we react to this finding? Are the CVE's for > those libraries not relevant when used in the context of Axis2, since they > haven't been updated(the latest version of Axis2 still ships those versions)? > > Thanks! > > BR, Martin > > --- > > Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence > Evidence Count > > tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > cpe:/a:apache_software_foundation:tomcat:6.0.16 > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓ > High 66 Highest 18 > > > juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 > cpe:/a:apache_software_foundation:tomcat:6.0.16 > cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ > High 66 Highest 16 > - To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
Security vulnerabilities in Axis2 dependencies? "tribes" & "juli" JAR files
Hi Sorry if you are getting this mail twice, but I sent it before having finished subscribing, so I was unsure if it reached the list. We have recently integrated the OWASP Dependency Checker into our CI-setup, and it has flagged two libraries as potentially problematic (i.e. affected by serious CVE's), namely tribes-6.0.16.jar & juli-6.0.16.jar. It turns out those are actually dependencies for Axis2. Both JAR files seem to be part of Tomcat 6. Question is, how should we react to this finding? Are the CVE's for those libraries not relevant when used in the context of Axis2, since they haven't been updated(the latest version of Axis2 still ships those versions)? Thanks! BR, Martin --- Dependency CPE Coordinates Highest Severity CVE Count↓ CPE Confidence Evidence Count tribes-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 cpe:/a:apache_software_foundation:tomcat:6.0.16 cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:tribes:6.0.16 ✓ High 66 Highest 18 juli-6.0.16.jar cpe:/a:apache:tomcat:6.0.16 cpe:/a:apache_software_foundation:tomcat:6.0.16 cpe:/a:apache_tomcat:apache_tomcat:6.0.16 org.apache.tomcat:juli:6.0.16 ✓ High 66 Highest 16