[jira] [Updated] (GEODE-10236) Compatibility issues while upgrading Jgroups to versions 4.0+

2022-04-15 Thread Anthony Baker (Jira) 


 [ 
https://issues.apache.org/jira/browse/GEODE-10236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Anthony Baker updated GEODE-10236:
--
Labels:   (was: needsTriage)

> Compatibility issues while upgrading Jgroups to versions 4.0+
> -
>
> Key: GEODE-10236
> URL: https://issues.apache.org/jira/browse/GEODE-10236
> Project: Geode
>  Issue Type: Bug
>Affects Versions: 1.14.4
>Reporter: Rohan Jagtap
>Priority: Major
>
> According to a recent CVE: 
> {quote}CVE-2016-2141
> NVD: 2016/06/30 - CVSS v2 Base Score: 7.5 - CVSS v3.1 Base Score: 9.8
> JGroups before 4.0 does not require the proper headers for the ENCRYPT and 
> AUTH protocols from nodes joining the cluster, which allows remote attackers 
> to bypass security restrictions and send and receive messages within the 
> cluster via unspecified vectors.
>  
> {quote}
> Hence we intend to upgrade jgroups to a recommended version.
> However, even the latest version of apache geode ([geode-core 
> 1.14.4|https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.14.4])
>  uses jgroups 3.6.14 which has the aforementioned vulnerability.
> Overriding the jgroups dependency to anything over 4.0+ gives the following 
> issue on running:
> {{Caused by: org.springframework.beans.factory.BeanCreationException: Error 
> creating bean with name 'gemfireCache': FactoryBean threw exception on object 
> creation; nested exception is java.lang.ExceptionInInitializerError}}
> {{        at 
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176)}}
> {{        at 
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1828)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1265)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)}}
> {{        at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:330)}}
> {{        ... 32 common frames omitted}}
> {{Caused by: java.lang.ExceptionInInitializerError: null}}
> {{        at 
> org.apache.geode.distributed.internal.membership.gms.Services.(Services.java:155)}}
> {{        at 
> org.apache.geode.distributed.internal.membership.gms.MembershipBuilderImpl.create(MembershipBuilderImpl.java:114)}}
> {{        at 
> org.apache.geode.distributed.internal.DistributionImpl.(DistributionImpl.java:150)}}
> {{        at 
> org.apache.geode.distributed.internal.DistributionImpl.createDistribution(DistributionImpl.java:217)}}
> {{        at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.(ClusterDistributionManager.java:464)}}
> {{        at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.(ClusterDistributionManager.java:497)}}
> {{        at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.create(ClusterDistributionManager.java:326)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.initialize(InternalDistributedSystem.java:779)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.access$200(InternalDistributedSystem.java:135)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem$Builder.build(InternalDistributedSystem.java:3036)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:290)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:216)}}
> {{        at 
> org.apache.geode.internal.cache.InternalCacheBuilder.createInternalDistributedSystem(InternalCacheBuilder.java:346)}}
> {{        at java.base/java.util.Optional.orElseGet(Optional.java:369)}}
> {{        at 
> org.apache.geode.internal.cache.InternalCacheBuilder.create(InternalCacheBuilder.java:157)}}
> {{        at 
> org.apache.geode.cache.CacheFactory.create(CacheFactory.java:142)}}
> {{        at 
> org.springframework.data.gemfire.CacheFactoryBean.createCache(CacheFactoryBean.java:472)}}
> {{        at 
> org.springframework.data.gemfire.CacheFactoryBean.resolveCache(CacheFactoryBean.java:326)}}
> {{        at 
> org.springframework.data.gemfire.CacheFactoryBean.init(CacheFactoryBean.java:270)}}
> {{        at java.base/

[jira] [Updated] (GEODE-10236) Compatibility issues while upgrading Jgroups to versions 4.0+

2022-04-14 Thread Alexander Murmann (Jira) 


 [ 
https://issues.apache.org/jira/browse/GEODE-10236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Murmann updated GEODE-10236:
--
Labels: needsTriage  (was: )

> Compatibility issues while upgrading Jgroups to versions 4.0+
> -
>
> Key: GEODE-10236
> URL: https://issues.apache.org/jira/browse/GEODE-10236
> Project: Geode
>  Issue Type: Bug
>Affects Versions: 1.14.4
>Reporter: Rohan Jagtap
>Priority: Major
>  Labels: needsTriage
>
> According to a recent CVE: 
> {quote}CVE-2016-2141
> NVD: 2016/06/30 - CVSS v2 Base Score: 7.5 - CVSS v3.1 Base Score: 9.8
> JGroups before 4.0 does not require the proper headers for the ENCRYPT and 
> AUTH protocols from nodes joining the cluster, which allows remote attackers 
> to bypass security restrictions and send and receive messages within the 
> cluster via unspecified vectors.
>  
> {quote}
> Hence we intend to upgrade jgroups to a recommended version.
> However, even the latest version of apache geode ([geode-core 
> 1.14.4|https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.14.4])
>  uses jgroups 3.6.14 which has the aforementioned vulnerability.
> Overriding the jgroups dependency to anything over 4.0+ gives the following 
> issue on running:
> {{Caused by: org.springframework.beans.factory.BeanCreationException: Error 
> creating bean with name 'gemfireCache': FactoryBean threw exception on object 
> creation; nested exception is java.lang.ExceptionInInitializerError}}
> {{        at 
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176)}}
> {{        at 
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1828)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1265)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334)}}
> {{        at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)}}
> {{        at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:330)}}
> {{        ... 32 common frames omitted}}
> {{Caused by: java.lang.ExceptionInInitializerError: null}}
> {{        at 
> org.apache.geode.distributed.internal.membership.gms.Services.(Services.java:155)}}
> {{        at 
> org.apache.geode.distributed.internal.membership.gms.MembershipBuilderImpl.create(MembershipBuilderImpl.java:114)}}
> {{        at 
> org.apache.geode.distributed.internal.DistributionImpl.(DistributionImpl.java:150)}}
> {{        at 
> org.apache.geode.distributed.internal.DistributionImpl.createDistribution(DistributionImpl.java:217)}}
> {{        at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.(ClusterDistributionManager.java:464)}}
> {{        at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.(ClusterDistributionManager.java:497)}}
> {{        at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.create(ClusterDistributionManager.java:326)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.initialize(InternalDistributedSystem.java:779)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.access$200(InternalDistributedSystem.java:135)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem$Builder.build(InternalDistributedSystem.java:3036)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:290)}}
> {{        at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:216)}}
> {{        at 
> org.apache.geode.internal.cache.InternalCacheBuilder.createInternalDistributedSystem(InternalCacheBuilder.java:346)}}
> {{        at java.base/java.util.Optional.orElseGet(Optional.java:369)}}
> {{        at 
> org.apache.geode.internal.cache.InternalCacheBuilder.create(InternalCacheBuilder.java:157)}}
> {{        at 
> org.apache.geode.cache.CacheFactory.create(CacheFactory.java:142)}}
> {{        at 
> org.springframework.data.gemfire.CacheFactoryBean.createCache(CacheFactoryBean.java:472)}}
> {{        at 
> org.springframework.data.gemfire.CacheFactoryBean.resolveCache(CacheFactoryBean.java:326)}}
> {{        at 
> org.springframework.data.gemfire.CacheFactoryBean.init(CacheFactor