-
Task
-
Resolution: Done
-
Medium
-
Dublin Release
-
None
-
DCAE R4 Sprint 4, DCAE R4 Sprint 5, DCAE R4 Sprint 6
Following vulnerability identified under CLM scan; upgrade to version specified (last column)
| dcaegen2/collector/hv-ves | com.google.guava : guava : 19.0 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class The application is vulnerable by using this component if it uses Java deserialization or GWT-RPC to deserialize untrusted data. |
Upgrade to 23.6.1-jre |
1.
|
Remove Guava 19 dependency via protobuf-java-util |
|
Closed | dudini1 |
2.
|
Try to remove jackson dependency (via ratpack) or replace Ratpack with NettyHttp |
|
Closed | izabelazawadzka |