[
https://issues.apache.org/jira/browse/CASSANDRA-16740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Gomez updated CASSANDRA-16740:
-------------------------------------
Description:
A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities that
have been fixed in newer releases. The following is the Cassandra 3.11.10
source tree for their JAR dependencies:
[https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
.
JAR *ch.qos.logback_logback-core* version *1.1.3* has the following
vulnerability and is fixed in version *1.2.0*. Recommendation is to upgrade to
version *1.2.3* or greater.
||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr||
|CVE-2017-5929|9.8|QOS.ch Logback before 1.2.0 has a serialization
vulnerability affecting the SocketServer and ServerSocketReceiver
components.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929|ch.qos.logback_logback-core|1.1.3|critical|fixed
in 1.2.0|CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
A possible fix strategy is to simply update the JAR to their newest version.
* See [https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3]
was:
A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities that
have been fixed in newer releases. The following is the Cassandra 3.11.10
source tree for their JAR dependencies:
[https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
.
JAR *org.apache.thrift_libthrift* version *0.9.2* has the following
vulnerability and is fixed in version *0.9.3-1*. Recommendation is to upgrade
to version *0.9.3-1* or greater.
||id|cvss|desc|link|packageName|packageVersion|severity|status|vecStr|
|CVE-2016-5397|8.8|The Apache Thrift Go client library exposed the potential
during code generation for command injection due to using an external
formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift
0.10.0.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5397|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H|
|CVE-2018-1320|7.5|Apache Thrift Java client library versions 0.5.0 through
0.11.0 can bypass SASL negotiation isComplete validation in the
org.apache.thrift.transport.TSaslTransport class. An assert used to determine
if the SASL handshake had successfully completed could be disabled in
production settings making the validation
incomplete.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1320|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N|
|CVE-2019-0205|7.5|In Apache Thrift all versions up to and including 0.12.0, a
server or client may run into an endless loop when feed with specific input
data. Because the issue had already been partially fixed in version 0.11.0,
depending on the installed version it affects only certain language
bindings.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0205|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
A possible fix strategy is to simply update the JAR to their newest version.
* See [https://mvnrepository.com/artifact/org.apache.thrift/libthrift/0.9.3-1]
> Remediate Cassandra 3.11.10 JAR dependency vulnerability -
> ch.qos.logback_logback-core
> --------------------------------------------------------------------------------------
>
> Key: CASSANDRA-16740
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16740
> Project: Cassandra
> Issue Type: Improvement
> Components: Dependencies
> Reporter: Daniel Gomez
> Priority: Normal
>
> A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities
> that have been fixed in newer releases. The following is the Cassandra
> 3.11.10 source tree for their JAR dependencies:
> [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
> .
> JAR *ch.qos.logback_logback-core* version *1.1.3* has the following
> vulnerability and is fixed in version *1.2.0*. Recommendation is to upgrade
> to version *1.2.3* or greater.
>
> ||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr||
> |CVE-2017-5929|9.8|QOS.ch Logback before 1.2.0 has a serialization
> vulnerability affecting the SocketServer and ServerSocketReceiver
> components.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929|ch.qos.logback_logback-core|1.1.3|critical|fixed
> in 1.2.0|CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
> A possible fix strategy is to simply update the JAR to their newest version.
> * See [https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
