I'm not sure why the scanner is associating Jackson CVEs with EhCache? In any case, the latest CXF release (3.3.4) uses Jackson 2.9.10.
Colm. On Mon, Nov 11, 2019 at 7:19 AM Christoph Weser < [email protected]> wrote: > Hey Colm, > > I know. We're also using OWASP and there are no complains. > Customer is using the quite widely spread Nexus Vulnerability scanner. > (you can download that one, start it local and let analyze files and you'll > get the report via mail.) > > For ehCache 2.10.6 it complains about: > > CVE-2018-14721 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > CVE-2018-14718 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > CVE-2018-14719 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > CVE-2018-14720 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > SONATYPE-2017-0312 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > CVE-2019-10241 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > CVE-2019-10246 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > CVE-2019-10247 > [maven] net.sf.ehcache : ehcache : 2.10.6 > > Most is about jackson databinding in jetty. > So I'm really not completely sure what to do. > > Any way to get around this? > > Christoph > > Am Fr., 8. Nov. 2019 um 16:02 Uhr schrieb Colm O hEigeartaigh < > [email protected]>: > >> Hi, >> >> What are the known vulnerabilities in ehcache 2.10.6? The Owasp maven >> dependency checker isn't detecting any issues. >> >> There is a JIRA for the next WSS4J release to migrate to EhCache 3, once >> we >> pick this up then we can update CXF as well - >> https://issues.apache.org/jira/browse/WSS-632 >> >> Colm. >> >> On Fri, Nov 8, 2019 at 12:24 PM Christoph Weser >> <[email protected]> wrote: >> >> > Hello, >> > >> > as this is my first question please forgive me if this is the wrong list >> > for my question. Any hint towards the right one is appreciated. >> > >> > We're using Apache 3.1.4 (Yes, I know it's quite old.). >> > Deploying that the package also contains ehCache 2.10.4. >> > >> > Customer is now complaining about several vulnerabilities found in >> ehCache >> > 2.10.4. >> > As I looked at the newest release of Apache CXF I saw that also in that >> one >> > ehCache 2.10.6 is used which still has several known vulnerabilities >> and so >> > not even go to the newest release would solve these issues. >> > >> > As we're using WS security it seems that this reference is needed. >> > >> > So does anyone see a way getting around of that? >> > >> > Thanks a lot, >> > Chris >> > >> >
