[ https://issues.apache.org/jira/browse/OAK-9496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nitin Gupta resolved OAK-9496. ------------------------------ Fix Version/s: 1.42.0 Resolution: Fixed > oak-solr-osgi embeds vulnerable Apache ZooKeeper > ------------------------------------------------- > > Key: OAK-9496 > URL: https://issues.apache.org/jira/browse/OAK-9496 > Project: Jackrabbit Oak > Issue Type: Bug > Reporter: Nitin Gupta > Assignee: Nitin Gupta > Priority: Major > Fix For: 1.42.0 > > > This artifact embeds Apache ZooKeeper 3.4.6 which contains the following > vulnerabilitie(s): > * *CVE-2016-5017* (CVSS 6.8 Medium): Buffer overflow in the C cli shell in > Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" > batch mode syntax, allows attackers to have unspecified impact via a long > command string. > * *BDSA-2018-1712 (CVE-2018-8012)* (CVSS 7.5 High): An attacker controlled > rogue end point can connect to Apache ZooKeeper without authentication and > propagate counterfeit changes to the cluster. > h3. Recommendation > Apply one of the following suggestions: > * Remove usage and dependency > * Upgrade to a vulnerability free version of the embedded library. If none > is available, upgrade to a less vulnerable version (lower CVSS Score) -- This message was sent by Atlassian Jira (v8.3.4#803005)