Hey Colm, I know. We're also using OWASP and there are no complains. Customer is using the quite widely spread Nexus Vulnerability scanner. (you can download that one, start it local and let analyze files and you'll get the report via mail.)
For ehCache 2.10.6 it complains about: CVE-2018-14721 [maven] net.sf.ehcache : ehcache : 2.10.6 CVE-2018-14718 [maven] net.sf.ehcache : ehcache : 2.10.6 CVE-2018-14719 [maven] net.sf.ehcache : ehcache : 2.10.6 CVE-2018-14720 [maven] net.sf.ehcache : ehcache : 2.10.6 SONATYPE-2017-0312 [maven] net.sf.ehcache : ehcache : 2.10.6 CVE-2019-10241 [maven] net.sf.ehcache : ehcache : 2.10.6 CVE-2019-10246 [maven] net.sf.ehcache : ehcache : 2.10.6 CVE-2019-10247 [maven] net.sf.ehcache : ehcache : 2.10.6 Most is about jackson databinding in jetty. So I'm really not completely sure what to do. Any way to get around this? Christoph Am Fr., 8. Nov. 2019 um 16:02 Uhr schrieb Colm O hEigeartaigh < [email protected]>: > Hi, > > What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven > dependency checker isn't detecting any issues. > > There is a JIRA for the next WSS4J release to migrate to EhCache 3, once we > pick this up then we can update CXF as well - > https://issues.apache.org/jira/browse/WSS-632 > > Colm. > > On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser > <[email protected]> wrote: > > > Hello, > > > > as this is my first question please forgive me if this is the wrong list > > for my question. Any hint towards the right one is appreciated. > > > > We're using Apache 3.1.4 (Yes, I know it's quite old.). > > Deploying that the package also contains ehCache 2.10.4. > > > > Customer is now complaining about several vulnerabilities found in > ehCache > > 2.10.4. > > As I looked at the newest release of Apache CXF I saw that also in that > one > > ehCache 2.10.6 is used which still has several known vulnerabilities and > so > > not even go to the newest release would solve these issues. > > > > As we're using WS security it seems that this reference is needed. > > > > So does anyone see a way getting around of that? > > > > Thanks a lot, > > Chris > > >
