-
Bug
-
Resolution: Done
-
Medium
-
PoC
-
None
-
None
Opendaylight Yangtools 6.0.1 has the following transitives:
- guava 29.0-jre (47/CAX1054600)
- j2objc 1.3 (2/CTX1020693)
- triemap 1.2.0 (3/CTX1027108)
CVE-2020-8908 has been found by VA scan for guava, version upgrade is required.
Hint: ODL yangtools 7.0.14 seems to have an updated version of guava, that is free from the mentioned cve.
Notes
- Consider upgrading to latest (release) version of Yangtools
- If Yangtools cannot easily be upgraded we can ask for an 'exemption'
- Check direct using of Guava e.g. in NCM Stubs?!