[jira] [Comment Edited] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

Thu, 09 Jun 2022 04:51:06 -0700 


    [ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552149#comment-17552149
 ] 

Karl Wright edited comment on CONNECTORS-1715 at 6/9/22 11:50 AM:
------------------------------------------------------------------

[~pj.fanning], this is a blanket scan identifying jars with known CVEs.  There 
has been no analysis done whatsoever about whether the specific CVE attack is 
even a possibility in the ManifoldCF environment.  That's a lot of work but I 
will wager after all of that the major problem is that the tool doesn't 
understand the actual usage of ManifoldCF and is thus incapable of giving good 
advice.

Another thing to note is that most of ManifoldCF's dependencies come from Tika. 
 We just upgraded a month ago to the latest Tika 1.x version, which required 
massive dependency updates precisely to address CVEs that had been noted.  This 
took me almost three weeks because many of the underlying contracts in the jars 
also had to be updated.  That's a lot of work if a vulnerability cannot in fact 
be exploited at all, just to make a dumb tool happy.

I think it's fine if a careful analysis is done and an ACTUAL vulnerability is 
detected, but we want to not be stupid about this.  Can't afford it.




was (Author: kwri...@metacarta.com):
[~pj.fanning], this is a blanket scan identifying jars with known CVEs.  There 
has been no analysis done whatsoever about whether the specific CVE attack is 
even a possibility in the ManifoldCF environment.  That's a lot of work but I 
will wager after all of that the major problem is that the tool doesn't 
understand the actual usage of ManifoldCF and is thus incapable of giving good 
advice.


> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---------------------------------------------------------------
>
>                 Key: CONNECTORS-1715
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
>             Project: ManifoldCF
>          Issue Type: Bug
>    Affects Versions: ManifoldCF 2.22
>            Reporter: Himanshu
>            Assignee: Karl Wright
>            Priority: Major
>             Fix For: ManifoldCF 2.23
>
>         Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to