[ https://issues.apache.org/jira/browse/AMBARI-24415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-24415: ---------------------------------- Description: Remove dependencies with CVE issues from Ambari Server * org.springframework:spring-beans:jar before 4.3.17.RELEASE ** CVE-2018-1270 - https://nvd.nist.gov/vuln/detail/CVE-2018-1270 ** CVE-2018-1275 - https://nvd.nist.gov/vuln/detail/CVE-2018-1275 ** CVE-2018-1199 - https://nvd.nist.gov/vuln/detail/CVE-2018-1199 ** CVE-2018-1271 - https://nvd.nist.gov/vuln/detail/CVE-2018-1271 ** CVE-2018-1257 - https://nvd.nist.gov/vuln/detail/CVE-2018-1257 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.springframework.security:spring-security-core:jar:4.2.4.RELEASE:compile [INFO] \- org.springframework:spring-beans:jar:4.3.12.RELEASE:compile {noformat} * org.kohsuke:libpam4j:jar before version 1.9 ** CVE-2017-12197 - https://nvd.nist.gov/vuln/detail/CVE-2017-12197 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.kohsuke:libpam4j:jar:1.8:compile {noformat} * org.springframework:spring-context before version 4.3.17.RELEASE ** CVE-2018-1257 - https://nvd.nist.gov/vuln/detail/CVE-2018-1257 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.springframework:spring-context:jar:4.3.16.RELEASE:compile {noformat} * org.springframework.security:spring-security-ldap:jar before version 4.1.5.RELEASE ** CVE-2018-1199 - https://nvd.nist.gov/vuln/detail/CVE-2018-1199 ** CVE-2016-9879 - https://nvd.nist.gov/vuln/detail/CVE-2016-9879 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.springframework.security:spring-security-ldap:jar:4.1.1.RELEASE:compile {noformat} * com.jcraft:jsch:jar before version 1.54 ** CVE-2016-5725 - https://nvd.nist.gov/vuln/detail/CVE-2016-5725 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- com.jcraft:jsch:jar:0.1.45:compile {noformat} was: Remove dependencies with CVE issues from Ambari Server * org.springframework:spring-beans:jar before 4.3.17.RELEASE ** CVE-2018-1270 - https://nvd.nist.gov/vuln/detail/CVE-2018-1270 ** CVE-2018-1275 - https://nvd.nist.gov/vuln/detail/CVE-2018-1275 ** CVE-2018-1199 - https://nvd.nist.gov/vuln/detail/CVE-2018-1199 ** CVE-2018-1271 - https://nvd.nist.gov/vuln/detail/CVE-2018-1271 ** CVE-2018-1257 - https://nvd.nist.gov/vuln/detail/CVE-2018-1257 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.springframework.security:spring-security-core:jar:4.2.4.RELEASE:compile [INFO] \- org.springframework:spring-beans:jar:4.3.12.RELEASE:compile {noformat} * com.google.guava:guava:jar before version 19.0-gwt28 ** CVE-2018-10237 - https://nvd.nist.gov/vuln/detail/CVE-2018-10237 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- com.google.guava:guava:jar:18.0:compile {noformat} * org.kohsuke:libpam4j:jar before version 1.9 ** CVE-2017-12197 - https://nvd.nist.gov/vuln/detail/CVE-2017-12197 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.kohsuke:libpam4j:jar:1.8:compile {noformat} * org.springframework:spring-context before version 4.3.17.RELEASE ** CVE-2018-1257 - https://nvd.nist.gov/vuln/detail/CVE-2018-1257 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.springframework:spring-context:jar:4.3.16.RELEASE:compile {noformat} * org.springframework.security:spring-security-ldap:jar before version 4.1.5.RELEASE ** CVE-2018-1199 - https://nvd.nist.gov/vuln/detail/CVE-2018-1199 ** CVE-2016-9879 - https://nvd.nist.gov/vuln/detail/CVE-2016-9879 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- org.springframework.security:spring-security-ldap:jar:4.1.1.RELEASE:compile {noformat} * com.jcraft:jsch:jar before version 1.54 ** CVE-2016-5725 - https://nvd.nist.gov/vuln/detail/CVE-2016-5725 {noformat} [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 [INFO] \- com.jcraft:jsch:jar:0.1.45:compile {noformat} > Remove dependencies with CVE issues from Ambari Server > ------------------------------------------------------ > > Key: AMBARI-24415 > URL: https://issues.apache.org/jira/browse/AMBARI-24415 > Project: Ambari > Issue Type: Task > Components: ambari-server > Affects Versions: 2.7.1 > Reporter: Robert Levas > Assignee: Robert Levas > Priority: Critical > Labels: cleanup > Fix For: 2.7.1 > > > Remove dependencies with CVE issues from Ambari Server > * org.springframework:spring-beans:jar before 4.3.17.RELEASE > ** CVE-2018-1270 - https://nvd.nist.gov/vuln/detail/CVE-2018-1270 > ** CVE-2018-1275 - https://nvd.nist.gov/vuln/detail/CVE-2018-1275 > ** CVE-2018-1199 - https://nvd.nist.gov/vuln/detail/CVE-2018-1199 > ** CVE-2018-1271 - https://nvd.nist.gov/vuln/detail/CVE-2018-1271 > ** CVE-2018-1257 - https://nvd.nist.gov/vuln/detail/CVE-2018-1257 > {noformat} > [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 > [INFO] \- > org.springframework.security:spring-security-core:jar:4.2.4.RELEASE:compile > [INFO] \- org.springframework:spring-beans:jar:4.3.12.RELEASE:compile > {noformat} > * org.kohsuke:libpam4j:jar before version 1.9 > ** CVE-2017-12197 - https://nvd.nist.gov/vuln/detail/CVE-2017-12197 > {noformat} > [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 > [INFO] \- org.kohsuke:libpam4j:jar:1.8:compile > {noformat} > * org.springframework:spring-context before version 4.3.17.RELEASE > ** CVE-2018-1257 - https://nvd.nist.gov/vuln/detail/CVE-2018-1257 > {noformat} > [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 > [INFO] \- org.springframework:spring-context:jar:4.3.16.RELEASE:compile > {noformat} > * org.springframework.security:spring-security-ldap:jar before version > 4.1.5.RELEASE > ** CVE-2018-1199 - https://nvd.nist.gov/vuln/detail/CVE-2018-1199 > ** CVE-2016-9879 - https://nvd.nist.gov/vuln/detail/CVE-2016-9879 > {noformat} > [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 > [INFO] \- > org.springframework.security:spring-security-ldap:jar:4.1.1.RELEASE:compile > {noformat} > * com.jcraft:jsch:jar before version 1.54 > ** CVE-2016-5725 - https://nvd.nist.gov/vuln/detail/CVE-2016-5725 > {noformat} > [INFO] org.apache.ambari:ambari-server:jar:2.7.0.0.0 > [INFO] \- com.jcraft:jsch:jar:0.1.45:compile > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)