[jira] [Created] (CASSANDRA-16740) Remediate Cassandra 3.11.10 JAR dependency vulnerability - ch.qos.logback_logback-core

Mon, 14 Jun 2021 07:28:06 -0700 

Daniel Gomez created CASSANDRA-16740:
----------------------------------------

             Summary: Remediate Cassandra 3.11.10 JAR dependency vulnerability 
- ch.qos.logback_logback-core
                 Key: CASSANDRA-16740
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16740
             Project: Cassandra
          Issue Type: Improvement
          Components: Dependencies
            Reporter: Daniel Gomez


A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities that 
have been fixed in newer releases. The following is the Cassandra 3.11.10 
source tree for their JAR dependencies: 
[https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
 . 

JAR *org.apache.thrift_libthrift* version *0.9.2* has the following 
vulnerability and is fixed in version *0.9.3-1*. Recommendation is to upgrade 
to version *0.9.3-1* or greater.

 
||id|cvss|desc|link|packageName|packageVersion|severity|status|vecStr|
|CVE-2016-5397|8.8|The Apache Thrift Go client library exposed the potential 
during code generation for command injection due to using an external 
formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 
0.10.0.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5397|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H|
|CVE-2018-1320|7.5|Apache Thrift Java client library versions 0.5.0 through 
0.11.0 can bypass SASL negotiation isComplete validation in the 
org.apache.thrift.transport.TSaslTransport class. An assert used to determine 
if the SASL handshake had successfully completed could be disabled in 
production settings making the validation 
incomplete.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1320|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N|
|CVE-2019-0205|7.5|In Apache Thrift all versions up to and including 0.12.0, a 
server or client may run into an endless loop when feed with specific input 
data. Because the issue had already been partially fixed in version 0.11.0, 
depending on the installed version it affects only certain language 
bindings.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0205|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|

 

A possible fix strategy is to simply update the JAR to their newest version.
 * See [https://mvnrepository.com/artifact/org.apache.thrift/libthrift/0.9.3-1]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to