-
Task
-
Resolution: Done
-
High
-
None
-
None
-
Policy Beijing 2 - 01-24, Policy Beijing 3 - 2-13
The following security issues have been identified by Nexus IQ Server (tool used by LF) on 2017-12-23. See the attached report - RED Security issues.
1. sonatype-2015-0002 https://issues.apache.org/jira/browse/COLLECTIONS-580 pulled in as dependency from another dependencies dependency. xacml > velocity -> collections. 3.2.1 - need to upgrade to 3.2.2 or 4.1
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 - com.eclipsesource.jaxrs : jersey-all : 2.18 pull in jackson-databind before 2.6.7.1, 2.7.9.1 and 2.8.9. Difficult to tell if com.eclipsesource.jaxrs has upgraded to use jackson-databind 2.9.x. This is a result of msb-java-sdk client being pulled in. Awaiting response from HuabingZhao as to whether he will fix it.
3. sonatype-2017-0312 - possible false positive as redhat claims jackson-databind was fixed in 2.9.x. These are a result of pulling in drools-pdp, so we will have to see if it can be fixed there.
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957 - com.thoughtworks.xstream. Pulled in by drools-pdp, will have to fix there.
5. sonatype-2017-0359 - upgrade httpclient via https://issues.apache.org/jira/browse/HTTPCLIENT-1803 to 4.5.3
6. sonatype-2016-0398 org.codehaus.plexus : plexus-utils : 3.0.20 -> upgrade to Plexus Utils 3.0.24 or later. These are a result of pulling in drools- pdp, will have to see if it can be fixed there.
The only dependency drools-applications pulls in directly is httpclient. The other jar files are pulled in through a dependency of a dependency and so on and on.
1.
|
Upgrade httpclient to 4.5.3 or above | Closed | pdragosh | |
2.
|
Upgrade MSB client when MSB team finishes their security issues | Closed | pdragosh | |
3.
|
Upgrade to xacml 1.0.1 when available | Closed | pdragosh |