Hi Denis/Alexey, We have found few more vulnerabilities in Gridgain Web console and due to which we can't deploy it in production as it does not comply with FedRAMP certification.
Can you please provide us the contact where we can send the detailed vulnerability report and help your team to find and fix the bugs? Due to some issues we cannot just publish this report on user community. Can you please advise? Thanks, Prasad On Thu, Dec 12, 2019 at 5:54 PM Alexey Kuznetsov <akuznet...@apache.org> wrote: > Hi, Prasad > > Thanks for reporting this issue. > Could you describe how I can reproduce these issues locally? > What tooling I could use? > > We need this to check that issues were fixed before next release. > > Thanks! > > On Tue, Dec 10, 2019 at 3:10 PM Prasad Bhalerao < > prasadbhalerao1...@gmail.com> wrote: > >> Hi, >> >> We found 3 vulnerabilities while scanning Grid Gain Web console >> application. >> >> We are using HTTP and not HTTPS due to some issues on our side. Although >> vulnerabilities are of lower severity, but thought of reporting it here. >> >> 1) HTTP TRACE / TRACK Methods Enabled. (CVE-2004-2320 >> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2010-0386 >> <https://nvd.nist.gov/vuln/detail/CVE-2010-0386>, CVE-2003-1567 >> <https://nvd.nist.gov/vuln/detail/CVE-2003-1567>) >> 2) Session Cookie Does Not Contain the "Secure" Attribute. >> 3) Web Server HTTP Trace/Track Method Support Cross-Site Tracing >> Vulnerability. (CVE-2004-2320 >> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2007-3008 >> <https://nvd.nist.gov/vuln/detail/CVE-2007-3008>) >> >> Can these be fixed? >> >> Thanks, >> Prasad >> >> >> On Tue, Dec 10, 2019 at 4:39 PM Denis Magda <dma...@apache.org> wrote: >> >>> It's free software without limitations. Just download and use it. >>> >>> - >>> Denis >>> >>> >>> On Tue, Dec 10, 2019 at 1:21 PM Prasad Bhalerao < >>> prasadbhalerao1...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> Can apache ignite users use it for free in their production >>>> environments? >>>> What license does it fall under? >>>> >>>> Thanks, >>>> Prasad >>>> >>>> On Fri, Oct 4, 2019 at 5:33 AM Denis Magda <dma...@apache.org> wrote: >>>> >>>>> Igniters, >>>>> >>>>> There is good news. GridGain made its distribution of Web Console >>>>> completely free. It goes with advanced monitoring and management >>>>> dashboard >>>>> and other handy screens. More details are here: >>>>> >>>>> https://www.gridgain.com/resources/blog/gridgain-road-simplicity-new-docs-and-free-tools-apache-ignite >>>>> >>>>> - >>>>> Denis >>>>> >>>> > > -- > Alexey Kuznetsov >
