Hi Prasad, I've introduced you to the right people at GridGain.
- Denis On Mon, Feb 3, 2020 at 11:44 PM Prasad Bhalerao < [email protected]> wrote: > Hi Denis/Alexey, > > We have found few more vulnerabilities in Gridgain Web console and due to > which we can't deploy it in production as it does not comply with FedRAMP > certification. > > Can you please provide us the contact where we can send the detailed > vulnerability report and help your team to find and fix the bugs? > > Due to some issues we cannot just publish this report on user community. > Can you please advise? > > > Thanks, > Prasad > > On Thu, Dec 12, 2019 at 5:54 PM Alexey Kuznetsov <[email protected]> > wrote: > >> Hi, Prasad >> >> Thanks for reporting this issue. >> Could you describe how I can reproduce these issues locally? >> What tooling I could use? >> >> We need this to check that issues were fixed before next release. >> >> Thanks! >> >> On Tue, Dec 10, 2019 at 3:10 PM Prasad Bhalerao < >> [email protected]> wrote: >> >>> Hi, >>> >>> We found 3 vulnerabilities while scanning Grid Gain Web console >>> application. >>> >>> We are using HTTP and not HTTPS due to some issues on our side. Although >>> vulnerabilities are of lower severity, but thought of reporting it here. >>> >>> 1) HTTP TRACE / TRACK Methods Enabled. (CVE-2004-2320 >>> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2010-0386 >>> <https://nvd.nist.gov/vuln/detail/CVE-2010-0386>, CVE-2003-1567 >>> <https://nvd.nist.gov/vuln/detail/CVE-2003-1567>) >>> 2) Session Cookie Does Not Contain the "Secure" Attribute. >>> 3) Web Server HTTP Trace/Track Method Support Cross-Site Tracing >>> Vulnerability. (CVE-2004-2320 >>> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2007-3008 >>> <https://nvd.nist.gov/vuln/detail/CVE-2007-3008>) >>> >>> Can these be fixed? >>> >>> Thanks, >>> Prasad >>> >>> >>> On Tue, Dec 10, 2019 at 4:39 PM Denis Magda <[email protected]> wrote: >>> >>>> It's free software without limitations. Just download and use it. >>>> >>>> - >>>> Denis >>>> >>>> >>>> On Tue, Dec 10, 2019 at 1:21 PM Prasad Bhalerao < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Can apache ignite users use it for free in their production >>>>> environments? >>>>> What license does it fall under? >>>>> >>>>> Thanks, >>>>> Prasad >>>>> >>>>> On Fri, Oct 4, 2019 at 5:33 AM Denis Magda <[email protected]> wrote: >>>>> >>>>>> Igniters, >>>>>> >>>>>> There is good news. GridGain made its distribution of Web Console >>>>>> completely free. It goes with advanced monitoring and management >>>>>> dashboard >>>>>> and other handy screens. More details are here: >>>>>> >>>>>> https://www.gridgain.com/resources/blog/gridgain-road-simplicity-new-docs-and-free-tools-apache-ignite >>>>>> >>>>>> - >>>>>> Denis >>>>>> >>>>> >> >> -- >> Alexey Kuznetsov >> >
