[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
[ https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552149#comment-17552149 ] Karl Wright commented on CONNECTORS-1715: - [~pj.fanning], this is a blanket scan identifying jars with known CVEs. There has been no analysis done whatsoever about whether the specific CVE attack is even a possibility in the ManifoldCF environment. That's a lot of work but I will wager after all of that the major problem is that the tool doesn't understand the actual usage of ManifoldCF and is thus incapable of giving good advice. > Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version > --- > > Key: CONNECTORS-1715 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1715 > Project: ManifoldCF > Issue Type: Bug >Affects Versions: ManifoldCF 2.22 >Reporter: Himanshu >Assignee: Karl Wright >Priority: Major > Fix For: ManifoldCF 2.23 > > Attachments: dependency-check-report-Apache Manifold.html > > > 45 vulnerable jars are present in apache-manifoldcf version 2.22.1 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
[ https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552145#comment-17552145 ] PJ Fanning commented on CONNECTORS-1715: [~himanshu-v] any chance that you could raise separate issues for the jars you are most concerned about and submit PRs with the fixes? > Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version > --- > > Key: CONNECTORS-1715 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1715 > Project: ManifoldCF > Issue Type: Bug >Affects Versions: ManifoldCF 2.22 >Reporter: Himanshu >Assignee: Karl Wright >Priority: Major > Fix For: ManifoldCF 2.23 > > Attachments: dependency-check-report-Apache Manifold.html > > > 45 vulnerable jars are present in apache-manifoldcf version 2.22.1 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
[ https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552059#comment-17552059 ] Karl Wright commented on CONNECTORS-1715: - Sorry, most of these cannot be upgraded because there is nothing to upgrade to. Example: Axis jars. A quick look shows that the kinds of attacks listed here are operating modes for the jars in question that would make the attack vector impossible to exploit in ManifoldCF. ManifoldCF indexes data from/to trusted systems, so an attack on ManifoldCF itself from such a setup would have to involve a man-in-the-middle, which can trivially be avoided if you are on either a secure network or use Https for your connections to your repositories. ManifoldCF's UI and API we recommend also be localized to an internal network, but in any case they are what we secure. Database connection security is left as an exercise for the user; it's beyond the scope of the ManifoldCF project. > Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version > --- > > Key: CONNECTORS-1715 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1715 > Project: ManifoldCF > Issue Type: Bug >Affects Versions: ManifoldCF 2.22 >Reporter: Himanshu >Priority: Major > Attachments: dependency-check-report-Apache Manifold.html > > > 45 vulnerable jars are present in apache-manifoldcf version 2.22.1 -- This message was sent by Atlassian Jira (v8.20.7#820007)