You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Prasad Bhalerao <pr...@gmail.com> on 2020/02/04 07:44:19 UTC
Re: GridGain Web Console is available free of charge for Apache Ignite
Hi Denis/Alexey,
We have found few more vulnerabilities in Gridgain Web console and due to
which we can't deploy it in production as it does not comply with FedRAMP
certification.
Can you please provide us the contact where we can send the detailed
vulnerability report and help your team to find and fix the bugs?
Due to some issues we cannot just publish this report on user community.
Can you please advise?
Thanks,
Prasad
On Thu, Dec 12, 2019 at 5:54 PM Alexey Kuznetsov <ak...@apache.org>
wrote:
> Hi, Prasad
>
> Thanks for reporting this issue.
> Could you describe how I can reproduce these issues locally?
> What tooling I could use?
>
> We need this to check that issues were fixed before next release.
>
> Thanks!
>
> On Tue, Dec 10, 2019 at 3:10 PM Prasad Bhalerao <
> prasadbhalerao1983@gmail.com> wrote:
>
>> Hi,
>>
>> We found 3 vulnerabilities while scanning Grid Gain Web console
>> application.
>>
>> We are using HTTP and not HTTPS due to some issues on our side. Although
>> vulnerabilities are of lower severity, but thought of reporting it here.
>>
>> 1) HTTP TRACE / TRACK Methods Enabled. (CVE-2004-2320
>> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2010-0386
>> <https://nvd.nist.gov/vuln/detail/CVE-2010-0386>, CVE-2003-1567
>> <https://nvd.nist.gov/vuln/detail/CVE-2003-1567>)
>> 2) Session Cookie Does Not Contain the "Secure" Attribute.
>> 3) Web Server HTTP Trace/Track Method Support Cross-Site Tracing
>> Vulnerability. (CVE-2004-2320
>> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2007-3008
>> <https://nvd.nist.gov/vuln/detail/CVE-2007-3008>)
>>
>> Can these be fixed?
>>
>> Thanks,
>> Prasad
>>
>>
>> On Tue, Dec 10, 2019 at 4:39 PM Denis Magda <dm...@apache.org> wrote:
>>
>>> It's free software without limitations. Just download and use it.
>>>
>>> -
>>> Denis
>>>
>>>
>>> On Tue, Dec 10, 2019 at 1:21 PM Prasad Bhalerao <
>>> prasadbhalerao1983@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Can apache ignite users use it for free in their production
>>>> environments?
>>>> What license does it fall under?
>>>>
>>>> Thanks,
>>>> Prasad
>>>>
>>>> On Fri, Oct 4, 2019 at 5:33 AM Denis Magda <dm...@apache.org> wrote:
>>>>
>>>>> Igniters,
>>>>>
>>>>> There is good news. GridGain made its distribution of Web Console
>>>>> completely free. It goes with advanced monitoring and management
>>>>> dashboard
>>>>> and other handy screens. More details are here:
>>>>>
>>>>> https://www.gridgain.com/resources/blog/gridgain-road-simplicity-new-docs-and-free-tools-apache-ignite
>>>>>
>>>>> -
>>>>> Denis
>>>>>
>>>>
>
> --
> Alexey Kuznetsov
>
Re: GridGain Web Console is available free of charge for Apache Ignite
Posted by Denis Magda <dm...@apache.org>.
Hi Prasad,
I've introduced you to the right people at GridGain.
-
Denis
On Mon, Feb 3, 2020 at 11:44 PM Prasad Bhalerao <
prasadbhalerao1983@gmail.com> wrote:
> Hi Denis/Alexey,
>
> We have found few more vulnerabilities in Gridgain Web console and due to
> which we can't deploy it in production as it does not comply with FedRAMP
> certification.
>
> Can you please provide us the contact where we can send the detailed
> vulnerability report and help your team to find and fix the bugs?
>
> Due to some issues we cannot just publish this report on user community.
> Can you please advise?
>
>
> Thanks,
> Prasad
>
> On Thu, Dec 12, 2019 at 5:54 PM Alexey Kuznetsov <ak...@apache.org>
> wrote:
>
>> Hi, Prasad
>>
>> Thanks for reporting this issue.
>> Could you describe how I can reproduce these issues locally?
>> What tooling I could use?
>>
>> We need this to check that issues were fixed before next release.
>>
>> Thanks!
>>
>> On Tue, Dec 10, 2019 at 3:10 PM Prasad Bhalerao <
>> prasadbhalerao1983@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> We found 3 vulnerabilities while scanning Grid Gain Web console
>>> application.
>>>
>>> We are using HTTP and not HTTPS due to some issues on our side. Although
>>> vulnerabilities are of lower severity, but thought of reporting it here.
>>>
>>> 1) HTTP TRACE / TRACK Methods Enabled. (CVE-2004-2320
>>> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2010-0386
>>> <https://nvd.nist.gov/vuln/detail/CVE-2010-0386>, CVE-2003-1567
>>> <https://nvd.nist.gov/vuln/detail/CVE-2003-1567>)
>>> 2) Session Cookie Does Not Contain the "Secure" Attribute.
>>> 3) Web Server HTTP Trace/Track Method Support Cross-Site Tracing
>>> Vulnerability. (CVE-2004-2320
>>> <https://nvd.nist.gov/vuln/detail/CVE-2004-2320>, CVE-2007-3008
>>> <https://nvd.nist.gov/vuln/detail/CVE-2007-3008>)
>>>
>>> Can these be fixed?
>>>
>>> Thanks,
>>> Prasad
>>>
>>>
>>> On Tue, Dec 10, 2019 at 4:39 PM Denis Magda <dm...@apache.org> wrote:
>>>
>>>> It's free software without limitations. Just download and use it.
>>>>
>>>> -
>>>> Denis
>>>>
>>>>
>>>> On Tue, Dec 10, 2019 at 1:21 PM Prasad Bhalerao <
>>>> prasadbhalerao1983@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Can apache ignite users use it for free in their production
>>>>> environments?
>>>>> What license does it fall under?
>>>>>
>>>>> Thanks,
>>>>> Prasad
>>>>>
>>>>> On Fri, Oct 4, 2019 at 5:33 AM Denis Magda <dm...@apache.org> wrote:
>>>>>
>>>>>> Igniters,
>>>>>>
>>>>>> There is good news. GridGain made its distribution of Web Console
>>>>>> completely free. It goes with advanced monitoring and management
>>>>>> dashboard
>>>>>> and other handy screens. More details are here:
>>>>>>
>>>>>> https://www.gridgain.com/resources/blog/gridgain-road-simplicity-new-docs-and-free-tools-apache-ignite
>>>>>>
>>>>>> -
>>>>>> Denis
>>>>>>
>>>>>
>>
>> --
>> Alexey Kuznetsov
>>
>