Daniel Gomez created CASSANDRA-16741:
----------------------------------------
Summary: Remediate Cassandra 3.11.10 JAR dependency vulnerability
- com.google.guava_guava
Key: CASSANDRA-16741
URL: https://issues.apache.org/jira/browse/CASSANDRA-16741
Project: Cassandra
Issue Type: Improvement
Components: Dependencies
Reporter: Daniel Gomez
A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities that
have been fixed in newer releases. The following is the Cassandra 3.11.10
source tree for their JAR dependencies:
[https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
.
JAR *ch.qos.logback_logback-core* version *1.1.3* has the following
vulnerability and is fixed in version *1.2.0*. Recommendation is to upgrade to
version *1.2.3* or greater.
||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr||
|CVE-2017-5929|9.8|QOS.ch Logback before 1.2.0 has a serialization
vulnerability affecting the SocketServer and ServerSocketReceiver
components.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929|ch.qos.logback_logback-core|1.1.3|critical|fixed
in 1.2.0|CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
A possible fix strategy is to simply update the JAR to their newest version.
* See [https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
