[
https://issues.apache.org/jira/browse/CASSANDRA-16740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Gomez updated CASSANDRA-16740:
-------------------------------------
Fix Version/s: 3.11.x
> Remediate Cassandra 3.11.10 JAR dependency vulnerability -
> ch.qos.logback_logback-core
> --------------------------------------------------------------------------------------
>
> Key: CASSANDRA-16740
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16740
> Project: Cassandra
> Issue Type: Improvement
> Components: Dependencies
> Reporter: Daniel Gomez
> Priority: Normal
> Fix For: 3.11.x
>
>
> A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities
> that have been fixed in newer releases. The following is the Cassandra
> 3.11.10 source tree for their JAR dependencies:
> [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
> .
> JAR *ch.qos.logback_logback-core* version *1.1.3* has the following
> vulnerability and is fixed in version *1.2.0*. Recommendation is to upgrade
> to version *1.2.3* or greater.
>
> ||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr||
> |CVE-2017-5929|9.8|QOS.ch Logback before 1.2.0 has a serialization
> vulnerability affecting the SocketServer and ServerSocketReceiver
> components.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929|ch.qos.logback_logback-core|1.1.3|critical|fixed
> in 1.2.0|CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
> A possible fix strategy is to simply update the JAR to their newest version.
> * See [https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
