[jira] [Created] (GEODE-10236) Compatibility issues while upgrading Jgroups to versions 4.0+

Thu, 14 Apr 2022 00:22:08 -0700 

Rohan Jagtap created GEODE-10236:
------------------------------------

             Summary: Compatibility issues while upgrading Jgroups to versions 
4.0+
                 Key: GEODE-10236
                 URL: https://issues.apache.org/jira/browse/GEODE-10236
             Project: Geode
          Issue Type: Bug
    Affects Versions: 1.14.4
            Reporter: Rohan Jagtap


According to a recent CVE: 
{quote}CVE-2016-2141

NVD: 2016/06/30 - CVSS v2 Base Score: 7.5 - CVSS v3.1 Base Score: 9.8
JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH 
protocols from nodes joining the cluster, which allows remote attackers to 
bypass security restrictions and send and receive messages within the cluster 
via unspecified vectors.

 
{quote}
Hence we intend to upgrade jgroups to a recommended version.

However, even the latest version of apache geode ([geode-core 
1.14.4|https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.14.4]) 
uses jgroups 3.6.14 which has the aforementioned vulnerability.

Overriding the jgroups dependency to anything over 4.0+ gives the following 
issue on running:



{{Caused by: org.springframework.beans.factory.BeanCreationException: Error 
creating bean with name 'gemfireCache': FactoryBean threw exception on object 
creation; nested exception is java.lang.ExceptionInInitializerError}}
{{        at 
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176)}}
{{        at 
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101)}}
{{        at 
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1828)}}
{{        at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1265)}}
{{        at 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334)}}
{{        at 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)}}
{{        at 
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:330)}}
{{        ... 32 common frames omitted}}
{{Caused by: java.lang.ExceptionInInitializerError: null}}
{{        at 
org.apache.geode.distributed.internal.membership.gms.Services.<init>(Services.java:155)}}
{{        at 
org.apache.geode.distributed.internal.membership.gms.MembershipBuilderImpl.create(MembershipBuilderImpl.java:114)}}
{{        at 
org.apache.geode.distributed.internal.DistributionImpl.<init>(DistributionImpl.java:150)}}
{{        at 
org.apache.geode.distributed.internal.DistributionImpl.createDistribution(DistributionImpl.java:217)}}
{{        at 
org.apache.geode.distributed.internal.ClusterDistributionManager.<init>(ClusterDistributionManager.java:464)}}
{{        at 
org.apache.geode.distributed.internal.ClusterDistributionManager.<init>(ClusterDistributionManager.java:497)}}
{{        at 
org.apache.geode.distributed.internal.ClusterDistributionManager.create(ClusterDistributionManager.java:326)}}
{{        at 
org.apache.geode.distributed.internal.InternalDistributedSystem.initialize(InternalDistributedSystem.java:779)}}
{{        at 
org.apache.geode.distributed.internal.InternalDistributedSystem.access$200(InternalDistributedSystem.java:135)}}
{{        at 
org.apache.geode.distributed.internal.InternalDistributedSystem$Builder.build(InternalDistributedSystem.java:3036)}}
{{        at 
org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:290)}}
{{        at 
org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:216)}}
{{        at 
org.apache.geode.internal.cache.InternalCacheBuilder.createInternalDistributedSystem(InternalCacheBuilder.java:346)}}
{{        at java.base/java.util.Optional.orElseGet(Optional.java:369)}}
{{        at 
org.apache.geode.internal.cache.InternalCacheBuilder.create(InternalCacheBuilder.java:157)}}
{{        at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:142)}}
{{        at 
org.springframework.data.gemfire.CacheFactoryBean.createCache(CacheFactoryBean.java:472)}}
{{        at 
org.springframework.data.gemfire.CacheFactoryBean.resolveCache(CacheFactoryBean.java:326)}}
{{        at 
org.springframework.data.gemfire.CacheFactoryBean.init(CacheFactoryBean.java:270)}}
{{        at java.base/java.util.Optional.orElseGet(Optional.java:369)}}
{{        at 
org.springframework.data.gemfire.CacheFactoryBean.getObject(CacheFactoryBean.java:802)}}
{{        at 
org.springframework.data.gemfire.CacheFactoryBean.getObject(CacheFactoryBean.java:110)}}
{{        at 
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169)}}
{{        ... 38 common frames omitted}}
{{Caused by: java.lang.IllegalStateException: JGAddress.create() returned the 
wrong class: UUID}}{{        at 
org.jgroups.conf.ClassConfigurator.add(ClassConfigurator.java:101)}}
{{        at 
org.apache.geode.distributed.internal.membership.gms.messenger.JGroupsMessenger.<clinit>(JGroupsMessenger.java:164)}}
{{        ... 61 common frames omitted}}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to