[
https://issues.apache.org/jira/browse/QPID-8485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy updated QPID-8485:
-----------------------------
Description:
Security vulnerabilities are reported with the guava version below 28.2-jre.
This package are vulnerable to Information Disclosure. The file permissions on
the file created by com.google.common.io.Files.createTempDir allows an attacker
running a malicious program co-resident on the same machine can steal secrets
stored in this directory. This is because by default on unix-like operating
systems the /temp directory is shared between all users, so if the correct file
permissions aren't set by the directory/file creator, the file becomes readable
by all other users on that system.
[https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
The Qpid Broker does not utilize the impacted functionality. Thus, it is not
vulnerable to the reported issue. Though, we need to upgrade the guava version
in order to stop from being flagged by scanning tools
was:
Security vulnerabilities are reported with the guava version below 28.2-jre.
This package are vulnerable to Information Disclosure. The file permissions on
the file created by com.google.common.io.Files.createTempDir allows an attacker
running a malicious program co-resident on the same machine can steal secrets
stored in this directory. This is because by default on unix-like operating
systems the /temp directory is shared between all users, so if the correct file
permissions aren't set by the directory/file creator, the file becomes readable
by all other users on that system.
[https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
So upgrade the guava version to the version 30.0-jre
> Upgrade guava version to latest
> -------------------------------
>
> Key: QPID-8485
> URL: https://issues.apache.org/jira/browse/QPID-8485
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.2, qpid-java-broker-7.1.10
> Reporter: Dedeepya
> Priority: Minor
> Fix For: qpid-java-broker-8.0.3
>
>
> Security vulnerabilities are reported with the guava version below 28.2-jre.
> This package are vulnerable to Information Disclosure. The file permissions
> on the file created by com.google.common.io.Files.createTempDir allows an
> attacker running a malicious program co-resident on the same machine can
> steal secrets stored in this directory. This is because by default on
> unix-like operating systems the /temp directory is shared between all users,
> so if the correct file permissions aren't set by the directory/file creator,
> the file becomes readable by all other users on that system.
> [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
> The Qpid Broker does not utilize the impacted functionality. Thus, it is not
> vulnerable to the reported issue. Though, we need to upgrade the guava
> version in order to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
