Nitin Gupta created OAK-9496:
--------------------------------
Summary: oak-solr-osgi embeds vulnerable Apache ZooKeeper
Key: OAK-9496
URL: https://issues.apache.org/jira/browse/OAK-9496
Project: Jackrabbit Oak
Issue Type: Bug
Reporter: Nitin Gupta
This artifact embeds Apache ZooKeeper 3.4.6 which contains the following
vulnerabilitie(s):
* *CVE-2016-5017* (CVSS 6.8 Medium): Buffer overflow in the C cli shell in
Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:"
batch mode syntax, allows attackers to have unspecified impact via a long
command string.
* *BDSA-2018-1712 (CVE-2018-8012)* (CVSS 7.5 High): An attacker controlled
rogue end point can connect to Apache ZooKeeper without authentication and
propagate counterfeit changes to the cluster.
h3. Recommendation
Apply one of the following suggestions:
* Remove usage and dependency
* Upgrade to a vulnerability free version of the embedded library. If none is
available, upgrade to a less vulnerable version (lower CVSS Score)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
