You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by "Stephen Darlington (Jira)" <ji...@apache.org> on 2020/09/21 10:19:00 UTC
[jira] [Created] (IGNITE-13464) Ignite-rest-http includes
vulnerable dependencies
Stephen Darlington created IGNITE-13464:
-------------------------------------------
Summary: Ignite-rest-http includes vulnerable dependencies
Key: IGNITE-13464
URL: https://issues.apache.org/jira/browse/IGNITE-13464
Project: Ignite
Issue Type: Bug
Components: rest
Affects Versions: 2.8.1, 2.9
Reporter: Stephen Darlington
The ignite-rest-http module includes a [vulnerable version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. It also appears to include slf4j. Why does the REST API include its own logging libraries?
This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.
More here:
http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)