You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Nitin Gupta (Jira)" <ji...@apache.org> on 2021/07/16 07:06:00 UTC
[jira] [Commented] (OAK-9496) oak-solr-osgi embeds vulnerable
Apache ZooKeeper
[ https://issues.apache.org/jira/browse/OAK-9496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381840#comment-17381840 ]
Nitin Gupta commented on OAK-9496:
----------------------------------
Apache ZooKeeper 3.4.6 matches the dependency definition [0]. The dependency is defined as "runtime" and is embedded in final artifact as per [1].
While CVE-2016-5017 is out of scope (C cli shell), CVE-2018-8012 applied to Zookeeper java application.
[0] [https://github.com/apache/jackrabbit-oak/blob/c6ddcc55bee3de915459af01e91edad32d538f3d/oak-solr-osgi/pom.xml#L160-L165]
[1] [https://github.com/apache/jackrabbit-oak/blob/c6ddcc55bee3de915459af01e91edad32d538f3d/oak-solr-osgi/pom.xml#L75]
As per [https://nvd.nist.gov/vuln/detail/CVE-2018-8012] , 3.4.10 fixes the vulnerability.
> oak-solr-osgi embeds vulnerable Apache ZooKeeper
> -------------------------------------------------
>
> Key: OAK-9496
> URL: https://issues.apache.org/jira/browse/OAK-9496
> Project: Jackrabbit Oak
> Issue Type: Bug
> Reporter: Nitin Gupta
> Assignee: Nitin Gupta
> Priority: Major
>
> This artifact embeds Apache ZooKeeper 3.4.6 which contains the following vulnerabilitie(s):
> * *CVE-2016-5017* (CVSS 6.8 Medium): Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
> * *BDSA-2018-1712 (CVE-2018-8012)* (CVSS 7.5 High): An attacker controlled rogue end point can connect to Apache ZooKeeper without authentication and propagate counterfeit changes to the cluster.
> h3. Recommendation
> Apply one of the following suggestions:
> * Remove usage and dependency
> * Upgrade to a vulnerability free version of the embedded library. If none is available, upgrade to a less vulnerable version (lower CVSS Score)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)